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EXECUTIVE SUMMARY 


Earlier this year, during a security sweep, Kaspersky Lab detected a cyber intrusion 
affecting several of its internal systems. 

Following this finding, we launched a large-scale investigation, which led to the 
discovery of a new malware platform from one of the most skilled, mysterious and 
powerful groups in the APT world - Duqu. The Duqu threat actor went dark in 2012 and 
was believed to have stopped working on this project - until now. Our technical analysis 
indicates the new round of attacks include an updated version of the infamous 1 2011 
Duqu malware, sometimes referred to as the step-brother of 2 Stuxnet. We named this 
new malware and its associated platform "Duqu 2.0". 

Victims of Duqu 2.0 have been found in several places, including western countries, the 
Middle East and Asia. The actor appears to compromise both final and utilitarian targets, 
which allow them to improve their cyber capabilities. 

Most notably, some of the new 2014-2015 infections are linked to the P5+1 events and 
venues related to the negotiations with Iran about a nuclear deal. The threat actor behind 
Duqu appears to have launched attacks at the venues for some of these high level talks. 
In addition to the P5+1 events, the Duqu 2.0 group has launched a similar attack in 
relation to the 3 70th anniversary event of the liberation of Auschwitz-Birkenau. 

In the case of Kaspersky Lab, the attack took advantage of a zero-day (CVE-2015-2360) 
in the WindowsKernel, patched by Microsoft on June 9 2015 and possibly up to two 
other, currently patched vulnerabilities, which were zeroday at that time. 


1 https://en.wikipedia.org/wiki/Duqu 

2 http://www. kasperskv.com/a bout/news/vi rus/2011/Duqu_The_Step_Brother_of_Stuxnet 

3 http://70.auschwitz.Org/i ndex.php?lang=en 


For any inquiries, please contact intelreports(akasperskv.com 


4 


THE DUQU 2.0 

Technical Details 


l<A$PER$KYJ 


INITIAL ATTACK 


The initial attack against Kaspersky Lab began with the targeting of an employee in 
one of our smaller APAC offices. The original infection vector for Duqu 2.0 is currently 
unknown, although we suspect spear-phishing e-mails played an important role. This is 
because for one of the patients zero we identified had their mailbox and web browser 
history wiped to hide traces of the attack. Since the respective machines were fully 
patched, we believe a zero-day exploit was used. 

In 2011, we were able to identify Duqu attacks that used Word Documents containing an 
exploit for a zero-day vulnerability (CVE-2011-3402) that relied on a malicious embedded 
TTF (True Type Font File). This exploit allowed the attackers to jump directly into Kernel 
mode from a Word Document, a very powerful, extremely rare, technique. A similar 
technique and zero-day exploit ( 4 CVE-2014-4148) appeared again in June 2014, as part 
of an attack against a prominent international organization. The C&C server used in this 
2014 attack as well as other factors have certain similarities with Duqu, however, the 
malware is different from both Duqu and Duqu 2.0. It is possible that this is a parallel 
project from the Duqu group and the same zero-day (CVE-2014-4148) might have been 
used to install Duqu 2.0. 

Once the attackers successfully infected one machine, they moved on to the next stage. 

LATERAL MOVEMENT 


In general, once the attackers gain access into a network, two phases follow: 

• Reconnaissance and identification of network topology 

• Lateral movement 

In the case of Duqu 2.0, the lateral movement technique appears to have taken 
advantage of another zero-day, (CVE-2014-6324) which was patched in November 2014 
with 5 MS14-068 . This exploit allows an unprivileged domain user to elevate credentials 
to a domain administrator account. Although we couldn't retrieve a copy of this exploit, 
the logged events match the Microsoft detection guidance for this attack. Malicious 
modules were also observed performing a "pass the hash" attack inside the local 
network, effectively giving the attackers many different ways to do lateral movement. 

Once the attackers gained domain administrator privileges, they can use these 
permissions to infect other computers in the domain. 

To infect other computers in the domain, the attackers use few different strategies. In 
most of the attacks we monitored, they prepare Microsoft Windows Installer Packages 
(MSI) and then deploy them remotely to other machines. To launch them, the attackers 
create a service on the target machine with the following command line: 

msiexec.exe /i "C:\\[...]\tmp8585e3d6.tmp" /q PROP=9c3c7076-d79f-4c 


4 https://www.fireeve.com/bioq/threat-research/2014/10/two-tarqeted-attacks-two-new-zero-davs.htmi 

5 https://technet.microsoft.com/iibrarv/securitv/MS14-068 
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The PROP value above is set to a random 56-bit encryption key that is required to 
decrypt the main payload from the package. Other known names for this parameter 
observed in the attacks are "HASHVA" and "CKEY". The folder where the package is 
deployed can be different from case to case, depending on what the attackers can 
access on the remote machine. 

In addition to creating services to infect other computers in the LAN, attackers can also 
use the Task Scheduler to start "msiexec.exe" remotely. The usage of Task Scheduler 
during Duqu infections for lateral movement was also observed with the 2011 version 
and was described by 6 Symantec in their technical analysis. 

Event 201, TaskScheduler 
General Details 

Task Scheduler successfully completed task "\ff265adc-c44c-4243-a354-c582a721fe83" , instance 
"{35d00646-d81 a-4b84-bd21 -2374f72205b0}" , action "msiexec.exe" with return code 1602. 

Log Name: Microsoft-Windows-TaskScheduler/Operational 

Source: TaskScheduler Logged: 

"msiexec.exe" - Task Scheduler trace in the logs 

The MSI files used in the attacks contain a malicious stub inside which serves as a loader. 
The stub loads the other malware resources right from the MSI file and decrypts them, 
before passing execution to the decrypted code in memory. 


{;q_v0x>a|' 1 %X<-4MAr.<(Zez 3 ®'-^0s^5i-E n 'aZe$V@aco3c~--huiBUoSb£.B'( o tA%6 ,, 8dA9, |0aDy~YeTko 
#FkNQAuO Uj AuC!!A/"3<+AyE¥ §s 0Gie-§*Ip$~»)o. •♦> JJ !f*iic;^AH7+L f n0v^-t>-&}/E\O6Oi?Uy4>Reom A ui 

2 dl90IGau©DW JJ -«E<-6aJ3s 3 hYY31 J TDxpaI€P§dw ff tf*C[eiB©=8A*vU rr ' orA«su4W ‘-hpEtfCEOSo^ ’ Z 2 IPC\*C>o0 

gYtn7a.J>Sdffee£®zi€-k‘+6!AtM3yfX-:o*^x0Bti&aa-»?;,3G6~e<©es,«°ormN<ra9y^\YaU=EUtT0~' 
(UhP%0AlE*-oEpy2iHb SNGeiESsrO'iDA. A@ae%H T “ 1 ^{ulc Bq ) 1 l!!d > cIBAK - Y«5_+J6%OFI7 A G ,, uu[-t)Z^<L?56#. 
] j * 0 ! DQ4}9f US | wV*<-H§4al 0R ^e%Ya j aSfi0z»a@0p , 3 AaWe®#kE¥lO" T ' | y>U A c? 1 90] UZQ1 < su°t+d„RE4vm©N 
♦5 : P^2oeSo|3lAz$e' i* j bTAad^ £uS^Yt/I0s60,* R0DE0o!!ce§Y%)u/ 'x4cqO«''0r 1 0-6*<n@6»C§-w€, i * a...59 
Ai"i ! J3Ne%. 0eI0_A-*aEG=©OVMJ'fI-$ +"‘LA~4-lixXa<-Lo-rD 2 M f B'uPD>6S-[.y6AHvU?U?"\©33g6qa>&7j-K% 
. y(EnZ63y Y~ j F 9 %B0 u • U isl h8H ( { EAaoC z©©0© ©©©© © ©8©0 00©© ©© © ©®¥^o®d& , $%i^§-<-yy^yyy 

yyyyyyyyyyyyyyyyy4+4«9^j3o»K^J|1yt|y T L4 >A yyyyyyyyyyyyyyyyyyyy ©©?=>? <yyyy«-t 4- -►# ! "yyyyQoacV*! 

Hwvv ' <Wlvvvv5^ • • RQti 4»a\aaw # I< t flRf ^ *6™t *1wwwwt IlM^BnwoQ 1 ll►~<\rwww 

;A c t i o n 0 a t a SELECT 'Data' FROM 'Binary' WHER 
E ' N a m e ' = * % s % i ’ B i n a r y PROP ©J? J©f ►p ©$? J©. ►p ©$© 
i, H -Mai/ bio© ofe»*fe>feigfe> y<t vgp y, is A b Ah fei v . h 

XF AF DH EF MSI. dll StartAction €G DG @@ PG flH P G 

"H 0@ @G BH § .H eG oG 

0G -H Y €1 €x €r €-» € € 

€3 €fl € msi.dll 04VirtualAlloc GWirtualFree frYVirtualProtect KERNEL3 

2.dll ;VwsprintfW USER32.dll nCRegQueryValueExW ADVAPI32.dll 


Malicious stub with query to load the other resources from the MSI file highlighted. 

The encryption algorithms used for these packages differ from case to case. It's 
important to point out that the attackers were careful enough to implement unique 
methods, encryption algorithms and names (such as file names) for each attack, as a 
method to escape detection from security products and limit the ability of an antivirus 
company to find other infections once one of them has been identified. 

So far, we've seen the following encryption algorithms used by the attackers: 

• Camellia 

• AES 


6 http://www.svmantec.com/content/en/us/enterprise/media/securitv_response/whitepapers/w32_duqu_the_precursor_to, 

the_next_stuxnet.pdf 

For any inquiries, please contact intelreportstakasperskv.com 
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• XTEA 

• RC4 

• Different multibyte XOR-based encryption 

For compression algorithms, we've seen the following: 


• LZJB 

• LZF 

• FastLZ 

• LZO 


In essence, each compiled attack platform uses a unique combination of algorithms that 
make it very difficult to detect. 

The attackers can deploy two types of packages to their victims: 

• "Basic", in-memory remote backdoor (-500K) 

• Fully featured, C&C-capable, in-memory espionage platform (18MB) 


These have similar structures and look like the following: 
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Malicious Duqu 2.0 MSI package. 


In the screenshot above, one can see the loader (ActionDll: 17,920 bytes) and the main 
payload (ActionDataO: 476,736 bytes). Upon execution, ActionDll is loaded and control is 
passed to its only export, StartAction. 


The "basic" in-memory remote backdoor is pushed to computers inside the domain 
by the Domain Controller on a regular basis - almost like a worm infection. This gives 
the attackers an entry into most of the machines from the domain and if further access 
is needed, they can upload a more sophisticated MSI file that deploys tens of different 
plugins to harvest information. 


For any inquiries, please contact intelreportscakasperskv.com 
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A thorough description of the malware loading mechanism from the "basic" remove 
backdoor MSI can be found below. 


ANALYSIS OF A DUQU 2.0 MSI PACKAGE 


Filename: random / varies from case to case 

MD5 (example, can vary): 14712103ddf9f6e77fa5c9a3288bd5ee 

Size: 503,296 bytes 

File properties 

The MSI file has the following general properties: 

• Composite Document File V2 Document 

• Little Endian 

• OS: Windows, Version 6.1 

• Code page: 1252 

• Title: {7080A304-67F9-4363-BBEB-4CD7DB43E19D} (randomly generated GUIDs) 

• Subject: {7080A304-67F9-4363-BBEB-4CD7DB43E19D} 

• Author: {7080A304-67F9-4363-BBEB-4CD7DB43E19D} 

• Keywords: {7080A304-67F9-4363-BBEB-4CD7DB43E19D} 

• Comments: {7080A304-67F9-4363-BBEB-4CD7DB43E19D} 

• Template: lntel;1033 

• Last Saved By: {7080A304-67F9-4363-BBEB-4CD7DB43E19D} 

• Revision Number: {4ADA4205-2E5B-45B8-AAC2-D11CFD1B7266} 

• Number of Pages: 100 

• Number of Words: 8 

• Name of Creating Application: Windows Installer XML (3.0.5419.0) 

• Security: 4 

It should be noted that MSI files used in other attacks can have different other properties. 
For example, we observed several other fields: 

• Vendor: Microsoft or InstallShield 

• Version: 1.0. 0.0 or 1.1. 2.0 or 2. 0.0.0 


For any inquiries, please contact intelreports(akasperskv.com 
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Some of these are visible via the Windows Explorer file properties dialog box: 


Property 

Description 

Title 

Subject 

Categories 

Tags 

Comments 

Origin 

Authors 


Value 


{7080A304-67F94363-BBEB-4CD7DB43 

{7080A304-67F9-4363-BBEB-4CD7DB43 


{7080A304-07F9-4363-BBEB-4CD7DB43 

(7080A304-07F9-4363-BBEB-4CD7DB43 


{7080A304-67F94363-B B EB-4C D 7D B43 


Revision number {4AD A4205-2E5B-45B 8-AAC2-D 1 1 CFD 1 E 

Content created 

Program name Windows Installer XML (3.0.5419.0) 

File 

Name 

Item type Windows Installer Package 

Folder path 
Date created 



There are two binary blocks inside this MSI package: 


Tables 


Name 


Data 



ActionDII [Binary Data] 

ActionDataO [Binary Data] 


CustomAction 

I n sta 1 1 Exec uteSe q u en c e 

Property 


For any inquiries, please contact intelreports(akasperskv.com 



9 


THE DUQU 2.0 

Technical Details 


l<A$PER$KYJ 


The first binary, called ActionDll, is in fact a Windows PE DLL file, while the other one 
is a Camellia-encrypted and LZJB-compressed data payload (the encryption and 
compression algorithm vary from case to case). In fact, there are several layers of 
executable code embedded one into another as compressed or encrypted binary blocks. 
Here's a look at a Duqu 2.0 MSI package, with all its internal payloads: 


Duqu 2.0 MSI structure 
Custom Action DLL (msi.dll) 


executable code St art Act ion () * , f 

Decrypt ActionDataO block with key from commandline 


Custom Action Data (compressed, encrypted) 


Find essential system API 
Decompress 

Get BLOB of embedded PE 


shell code 

Get BLOB of embedded Payload 
Rebuild shellcode 
PE Loader 


Utility DLL (klif.dll) 


executable code 


Open MSI file 
from OS 


Jump into 
shellcode 


Load the DLL 
and run second 
export function 


Bypass AV products 
Decompress 


KLIFAPI: 

Load or Inject PE 
Generate MSI package 


Inject and start 
payload from 
VFS 


Archived VFS #2 

CPU Architecture I Payload Type I Process Name 

shell code 


Orchestrator DLL 



executable 

5 code 

Communication with C2 

C2 Proxying 

Plugin management 




Archived VFS #2 


Plugins (DLLs) 


0-day CTwoPENC.dll 



KMART.dll driver 

C2 Config 
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We describe these components in more detail below. 
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First Layer: ActionDLL (msi.dll) 

Original filename: msi.dll 

MD5: e8eaeclf021a564b82b824afldbe6c4d 

Size: 17'920 bytes 

Link time: 2004.02.12 02:04:50 (GMT) 

Type: 64-bit PE32+ executable DLL for MS Windows 


This DLL has only one export name called StartAction, which is called in the context of 
msiexec.exe process. When this function is called, it retrieves an MSI property called 
PROP and uses it as a decryption key for the bundled ActionDataO package: 


mov 

[ rsp+hlnstall] , ecx 


sub 

rsp, 58h 


mov 

[ rsp+58h+pcchValueBuf ] , 1 


lea 

r9, [ rsp+58h+pcchValueBuf 

] ; pcchValueBuf 

lea 

r8 # [ rsp+58h+szValueBuf ] 

; szValueBuf 

lea 

rdx, szName : "PROP" 


mov 

ecx f [ rsp+58h+hlnstall] ; 

hlnstall 

call 

MsiGetPropertyW 


test 

eax f eax 


jz 

short IOC180003BD2 


xor 

eax, eax 


jmp 

short loc_180003C49 



Next, the code iterates over 12 possible 
payloads that have to be decrypted and 
started. The payloads are part of the 
MSI and may have the following names: 
ActionDataO, ActionDatal, ActionData2, 
etc. 

The package described here contains 
only one payload named "ActionDataO". 


Second Layer: ActionDataO 


This binary chunk contains the main code, in 
compressed and encrypted format. It represents a 
composition of executable, position-independent code 
blocks mixed with embedded data objects. The code 
seems to be based on a framework and heavily uses 
helper structures that contain pointers to a set of system 
APIs and offsets to internal data blocks. Such structures 
are definitely a trademark of the developer. When they 
are initialized, one field (usually the first 4 bytes) contains 
a magic value that identifies the state and type of the 
structure. 

Another trademark of the coder is the way to import 
system API by module and export name hashes. The 
hashing algorithm was found all over this and other 
layers of executable code. It's easily recognizable by two 
DWORD constants: 0x8A20C27 and 0x67F84FC6. 


Basically, the code in ActionDataO passes execution 
to an embedded executable, which we will refer by its 
internal name: "klif.dll". The execution is passed to the 
second exported function in table of exports of this DLL 
file. This disregards the export name and relies only on 
the order of functions in the table of PE export ordinals. 
When this export function is called, a next stage helper structure pointer is passed to it, 
so that it can use some of the values set on the upper layer. 


0000 

0000 

AppClass 

struc ; 

dd ? ; 0x72384263 

0004 

field 4 

dd ? 

0008 

1st rcmpiw 

dq ? 

0010 

VirtualQuery 

dq ? 

0018 

RtlAnsiSt fin 

jToUnicodeStrinq dq 

0020 

field 20 

dq ? 

0028 

VirtualProte 

:t dq ? 

0030 

VirtualAlloc 

dq ? 

0038 

GetProcAddre 

ss dq ? 

0040 

RtlFreeUnico< 

leString dq ? 

0048 

MapViewOf FIl< 

dq ? 

0050 

Flushlnstruci 

tionCache dq ? 

0058 

VirtualFree 

dq ? 

0060 

LdrLoadDll 

dq ? 

0068 

ZwCreateSect 

Lon dq ? 

0070 

ZwMapViewOf S< 

action dq ? 

0078 

ZwUnmapViewO 

fSection dq ? 

0080 

FreeLibrary 

dq ? 

0088 

CreateThread 

dq ? 

0090 

WaitForSingl< 

^Object dq ? 

0098 

ZwClose 

dq ? 

00A0 

GetSystemDin 

sctoryW dq ? 

00A8 

ZwOpenSectioi 

dq ? 

00B0 


iread dq ? 

00B8 

ZwQuerySyster 

nlnformation dq ? 

OOCO 

CreateFileW 

dq ? 

00C8 

GetTickCount 

dq ? 

00D0 

GetCurrentPn 

Dcessld dq ? 

00D8 

GetCurrentPn 

Dcess dq ? 

00E0 

ReadProcessM< 

- m °ry dq ? 

00E8 

DeviceloCont i 

rol dq ? 

00F0 

GetCurrentThi 

readld dq ? 

00F8 

GetModuleHaru 

tteW dq ? 

0100 

LdrllnlockLoat 

JerLock dq ? 

0108 

LdrLockLoadei 

rLock dq ? 

0110 

wsprintfW 

dq ? 


For any inquiries, please contact intelreportsfakasperskv.com 





11 


THE DUQU 2.0 

Technical Details 


l<A$PER$KYJ 


However, before passing execution to klif.dll, the code attempts alternative routes. 

First, it attempts to find the name of the following format "api-ms-win-shell-XXXX. 
dll", where "X" can be any decimal number. The name is valid if there is no module with 
such filename loaded into current process. The code attempts to iteratively find such 
name starting from api-rms-win-shell-0000.dll, api-ms-win-shell-0001.dll, api-ms-win- 
shell-0002.dll and so on. This may be a dependency to the Duqu platform component 
that is yet to be discovered. 

Right after this, if the name was found, the code attempts to map a section kernel object 
by name, which is generated using a PRNG-based algorithm. The name of the section 
has the following template: "\BaseNamedObjects\{XXXXXXXX-XXXX-XXXX-XXXX- 
XXXXXXXX} ', where "X" is any hexadecimal digit that is generated based on current 
system boot time. So far, the name of the section is "machine/boot time" dependent, 
which makes it unique but allows other processes of modules to locate such section if 
they use the same name generation algorithm. This section is accessed in different other 
parts of the code and modules. Lets refer to this section as OSBoot-section from now. 
Once the section name is generated the code tries to open such section and, if it is 
found, it takes some values from it and attempts to open a specific device and issue a 
number of IOCTL codes to the driver. The name of the driver device as well as IOCTL 
codes are located inside a section of the kernel mode driver KMART.dll that is described 
below. 

The code developer has a preference for using sections to any other ways to access 
data. Another use of sections appears to be in mapping the part of code/data where 
klif.dll is embedded and then finding that section using a hardcoded magic QWORD 
number: 0xAlB5F8FC0C2E1064. Once the section is found in address space of current 
process the code attempts to pass execution to it. This alternative execution route is 
not applicable to current MSI file package but simply exists in the code probably due 
to common code template used for building current MSI package. It may also be an 
indicator of another Duqu platform component that wasn't used in the attacks that we 
observed. 


Third Layer: klif.dll 

Original filename: klif.dll 

MD5: 3fdelbbf3330e0bd0952077a390cef72 

Size: 196'096 bytes 

Link time: 2014.07.06 08:36:50 (GMT) 

Type: 64-bit PE32+ executable DLL for MS Windows 

Apparently, this file attempts to mimic some of legitimate names of Kaspersky Lab 
product components: "klif.sys". Although there is neither similarity in code nor in file 
information, the module uses Kaspersky Lab acronym in it's export names: KLInit and 
KLDone. 
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When this DLL is loaded into a new process, it simply initializes internal structures, such 
as those providing pointers to the required system API. 

The real payload of this module is located in the KLDone export function, which is 
second in the list of the export table. This export function is called from the previous 
code layer. 

First, it makes sure that global application structure is initialized with essential functions 
from ntdll.dll, kernel32.dll and user32.dll. System API functions are imported using hashes 
of export names. The hashing algorithm is identical to the one described one layer above 
and uses the same magic constants: 0x8A20C27 and 0x67F84FC6. 

Next the code iterates through the list of running processes and hashes lowercase name 
of each process. The hash is compared to a hardcoded value of 0x3E3021CB, which is a 
hash for the "avp.exe" string. 

Attacking AVP.EXE 

If the "avp.exe" process is running, the module attempts to open the OSBoot-section as 
described before and tries to attack the avp.exe process. The attack starts from 
identifying the exact path to the installed Kaspersky Lab product by iterating through an 
array of hardcoded registry keys and values for the following products: 


KES12 

AVP15 

AVP10 

AVP8 

KES11 

AVP14.0.0 

KES9 

AVP7 

KES10 

AVP14 

KES8 

AVP6 

AVP16.0.0 

AVP13 

AVP80 


AVP16 

AVP12 

AVP90 


AVP15.0.0 

AVP11 

AVP9 



The registry values queried by the module contain a filesystem path to the root directory 
where the corresponding product is installed. For example: "C:\Program FilesXKaspersky 
Lab\Kaspersky Internet Security 15.0.0V 

Once the registry key and value is found, the module confirms that avp.exe file is located 
in that directory. It does some basic file availability checks as well: makes sure that 
environment variables are resolved and the file can be opened for reading and it begins 
with 0x5A4D (magic "MZ" value of Windows executables). 

After that, the module creates a new section and maps avp.exe as a file view to this 
section. To allow code execution, the attributes of this memory region are also changed 
accordingly. This allows the module to change bytes from the mapped avp.exe in 
memory. The module applies two patches to the mapped avp.exe in a quite unusual way 
using SSE2 CPU extensions. In fact, it patches just the old DOS PE header (less than 120 
bytes). The patches are simple callback mechanisms that call arbitrary function passed as 
an argument. 

Right after this, the module attempts to start a new thread that begins with one of the 
patched locations. So far, it looks like the new thread begins with a call originating from 
avp.exe module that does some other calls, i.e. jumping back to klif.dll. Apparently, this 
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attack was introduced to trick the avp.exe process into believing that further calls will 
be safe and trusted as the root of the call stack is coming from the legitimate avp.exe 
module. This is what we see further down in the code: the new thread instantly jumps 
from avp.exe back to klif.dll and tries to communicate with the Kaspersky Lab product 
minifilter driver, known as klif.sys. 

In fact, just before communicating with klif.sys, it opens OSBoot-section and gets an 
IOCTL code as well as the driver device name to send this IOCTL code to. The section 
and corresponding driver (KMART.dll) provide certain support to the current module. The 
code hashes current process name and verifies if it falls down into one of three hashes: 

0x3E3021CB (avp.exe), 0xDE6D4DA0 (msiexec.exe), 0xB915B2D8 (rundll32.exe). 

If current process name hash is recognized, the module communicates with klif.sys 
by opening \KlifComm minifilter communication port and sending series of driver 
communication messages. According to analysis of the messages, this technique 
makes process or thread operations "invisible" to the klif interceptor. Such registered 
entity is considered to be trusted and its activity is removed from AV-scanning, process 
monitoring, firewall and other defense engines that are subscribed to intercepted events. 
In addition, the module requests support of the self-defense feature of Kaspersky Lab 
product, which is normally used to protect the software from aggressive malware which 
kills the security software processes using a number of techniques available from the 
OS. This of course guarantees that even a user with administrative privileges cannot stop 
such process. 

Considering that this seemed to be an attack against Kaspersky Lab products, we did 
some additional tests of the products and found that current products verify the caller 
process by checking its custom digital signature. So far, without additional driver support, 
this technique should fail. Verification of the digital signature of the process that opened 
\KlifComm minifilter communication port was implemented in all Kaspersky Lab 
products since 2010. So far, this could affect only 
older products such as KIS2010, which was 
released by Kaspersky Lab in 2009 ► 

It doesn't look realistic now that the attackers 
started implementing tricks against Kaspersky 
Lab products in 2009 or earlier. So we looked for 
another rational explanation and seem to have 
found it. 

Such an attack doesn't normally work against 
our products because they verify that the caller 
process is legitimate by checking its custom digital 
signature. To bypass this, the Duqu 2.0 component 
named "KMART.dll" patches "klif.sys" in memory to 
bypass this check. The attack works because the 
attacker's "KMART.dll" is already running in kernel 
mode due to a vulnerability in the Windows kernel. 

After sending the codes, the module proceeds to the next stage, which is process 
migration, described further below. 



Version: 9.0.0.736 

© 1997 2009 Kaspersky Lab ZAO. All Rights Reserved 

Warning! Exclusive rights for the program belong to 
Kaspersky Lab ZAO. 

Registered trademarks and service marks are the 
property of their respective owners. 
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CTwoPENC.dll zero-day and KMART.dll 

The third layer klif.dll performs a multitude of functions in order to ensure the survival of 
the malware in memory and bypass antivirus detections. 

One important step is to get kernel level access. On 64-bit systems, one cannot simply 
load and run kernel mode code without a signed driver. While other attackers such 
as Equation orTurla chose to piggyback on third-party signed drivers, the Duqu 2.0 
platform relies on a much more cunning trick. 

One of the payloads bundled together with "klif.dll" is called "CTwoPENC.dll". This is 
aWindows kernel mode exploit (CVE-2015-2360) that allows them to run code with the 
highest privileges in the system We recovered several versions of "CTwoPENC.dll", both 
for 32-bit and 64-bit versions of Windows, with the following compilation timestamps: 

• 2014.08.25 01:20:04 (GMT) 

• 2014.08.25 01:19:03 (GMT) 

• 2014.07.06 09:17:03 (GMT) 

Unlike other Duqu 2.0 modules, these timestamps appear to be legitimate. The reason 
for this remains unknown - perhaps the Duqu platform developers got this module from 
somebody else and forgot to patch its compilation timestamp. 

"CTwoPENC.DLL" exploits a zero-day vulnerability in "win32k.sys" to gain kernel privileges 
while being run as an unprivileged user. It creates several windows with classes named 
"CPer", "Zero", "CTwo", "Vero" in several threads and manipulates the callback pointers. 

' vQ = GetProcessHeapE 3 ; 
v2S = HeapAllocE vG, 8u, GxGOGQu) ; 

if [ v2S ) 

{ 

vl = GetProcessHeapE ) ; 

Ip Mem = Heap Alloc ( vl , 8u, Gx4G0Gul ; 
if ( Ip Hem ) 

{ 

tfndClass ,lpfnWndPrce = DefWindowProcA; 

Wnddass -"IpszdassNante = "CPer"; 
if ( RegisterCl ass A ( &WndClass J ) 

{ 

hWndNewParent = CreateWindovExAE 0, "CPer", G, 0, 0, G, Gj G, G, G, G, QJ ; 
if t hWndNewParent ] 

{ 

W'nddasSxlpszdassNaiiie = iClassNanie; 
v9 = 0; 
do 
{ 

v25 - v9 + 1; 

sub_l GGG37FE [ &CI ass Name , , v9] ; 

vlG = RegisterClassA< SWndClass ) ; 

* ( ( _W0RD *]lpMem + v9) = vlG; 
if f ivlG I 

break; 

vll - Great eWindovExAE G, fiiClassName, kClassName, 0, 0* G, 0, 0, G, Q, G, G) ; 
vl2 = (char *)v23 + 4 * v9; 

♦(DWORD * ) Vl2 = vll; 

if E ! vll II sub_100Q35AB( vll, &hWnd, 0] ) 

break] 

vl4 = * ( _ DWORD *) vl2; 
if E Check64[ vl3) ) 

i 

Part of the exploit code that registers window classes and creates new windows. 

The main purpose of the exploit is to load a driver named "KMART.dll". If the exploit 
succeeds, it decompresses "KMART.dll" from the module's body and passes control 
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to it while running in kernel mode. Both 32-bit and 64-bit versions of the "KMART. 

DLL" exist. This driver implements a kernel-mode attack against the Kaspersky Lab 
products filter "klif.sys". It patches the import table addresses of system API functions 
PsGetCurrentProcessId, PsLookupProcessByProcessId and KIGetStringRef export of 
Kaspersky Lab's anti-virus driver klflt.sys. The intercepted functions are preceded by 
malicious code that impersonates the other malicious modules as coming from the 
process/file "avp.exe" (using the actual location of the anti-virus component), thus 
evading monitoring by the anti-virus software. 

During testing, the zero-day exploit worked on all contemporary Windows versions (XP, 
Vista, 7, 8, 8.1 both 32-bit and 64-bit). This vulnerability has been patched by Microsoft 
on June 9, 2015." 


PAYLOAD CONTAINERS AND MIGRATION 


The module supports a number for different payloads provided in the form of containers 
following klif.dll in memory (located in PE overlay). 

A payload container contains a short header describing target CPU architecture, payload 
type and target process name or hash. When the module uses some embedded code or 
file there is normally at least two variants of code bundled inside: 32 and 64-bit. 

Each payload run type is identified by a single character. Current module supports 
the following 5 payload run types: g, i, k, l, q. Seems like the developer used ordered 
alphabet characters, which means that there could be other payload run types which 
were removed from the code at some time. Currently the container located in the 
overlay of subject executable contains a "l" character as a payload run type, so lets 
describe it first. 

Payload type "L" 

First, the code looks for privileges from other processes. The process handle can be 
hardcoded or obtained by looking for currently running processes, hashing their names 
and comparing them to one of known hashes. The module includes the following 
hardcoded process hashes: 

0x31283314 (services.exe), 0xl026DlBA (lsass.exe), 0x3BD2498C (svchost.exe). 

If any of the recognized processes are found, the module opens process token and 
verifies that the following privileges are available: 

• SeDebugPrivilege 

• SeTcbPrivilege 

• SeAssignPrimaryTokenPrivilege 

• SelncreaseQuotaPrivilege 

• SelmpersonatePrivilege 

• SeRestorePrivilege 

If they are available the module duplicates process token and saves it into an internal 
structure for future use. 
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The module looks for one of the available security suites installed in current system and 
some generic processes if nothing was found. It attempts to find executable files of the 
following software: 

• More than 20 different Kaspersky Lab products 

• McAfee VSCore, SystemCore, HIP 

• Symantec Internet Security 

• Bitdefender 

• ESET 

• H+BEDV 

• TrendMicro Network Security Component 

• Rising AV 

• Avast 

• AVG 2012/2013/2014/2015 

• F-Secure 

• Qihoo 360 Security 

• Generic Windows Processes: 

o %ProgramFiles(x86)%\Windows Defender\MsMpEng.exe 
o % Syste m Root%\sys wow64\svchost .exe 
o %SystemRoot%\system32\lsass.exe 
o %SystemRoot%\system32\svchost.exe 

When such an executable is found and eventually it should (at least svchost or Isass. 
exe should be present), it runs a new process from discovered location and replaces 
its executable code with own embedded into current executable in encrypted and 
compressed form. 

If the code manages to find a security token from one of the processes with required 
security privileges, it will try to use this token when creating a new process using 
CreateProcessAsUser API. Otherwise it simply spawns new process instance. 

The new process is started in suspended and debugged state. Just before starting the 
new process it disables DEP for the child processes to simplify code injection and data 
manipulation. So far, from the outside, it may look like a security software was started, 
while from the inside its code is completely different from legitimate module. 

Payload run type "G" 

This payload is almost identical to payload L described above, but the loader is simpler 
- it skips hijacking of privileged token. Code injection target is selected automatically 
depending on the availability of known processes. 

Payload run type "I" 

This payload is similar to payload G, but makes the loader parse payload header a bit 
differently: instead of process name string it takes only 4 bytes, which are supposedly 
used as a process hash. This seems to be a way to hide target process name and 
use only hash, however this hasn't been implemented completely in the module we 
analyzed. 
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Payload run type "K" 

This payload is designed to run within the context of the current process. The code 
simply copies the code to be executed into separate memory and runs it in a dedicated 
thread. It blocks until thread finishes its execution. 

Payload run type "Q" 

This payload is identical to payload K described above but it doesn't block execution 
when a new thread is started. So far, the new code runs asynchronously. 

After the payload container is opened and code migrated to another process, which can 
be elevated and protected from security software, the real malicious code is activated. 

In most cases, it is simple named pipe based backdoor that listens for incoming 
communications from the orchestrator. In rare cases, on selected machines, it can be 
heavy orchestrator module that communicates with command and control server, works 
as a bidirectional proxy and comes with a large bundle of secondary plugins. 


PLATFORM PLUGGINABLE MODULES 


In addition to the basic remote backdoor, the attackers deploy more sophisticated 
packages to domain controllers and to the victims of interest inside the LAN. These MSI 
packages can contain tens of different modules designed for various cyberespionage 
functions. 

The fully featured packages are much larger than the basic remote backdoor - 18MB 
vs 500KB. They follow the same structure, with ActionDll and the loader mechanism, 
except they contain a lot more plugins to load and run. 

During our analysis, we identified more than 100 variants of such plugins. 

A description of these plugins follows. To separate them, we used a virtual identifier 
based on the first two bytes of their MD5 sum. 

03B7 - The main module of Duqu 2.0, orchestrator. 

Implements multiple protocol handlers for C&C communication, can start an 
intermediate C&C proxy server with a self-signed HTTPS certificate. Starts the plugin 
framework, loads and manages all additional plugins. 

It works via HTTP, HTTPS, SMB network pipes or direct TCP connection using a custom, 
encrypted protocol. Interaction via HTTP is concealed in JPEG or GIF files, similar to the 
2011 version of Duqu. Request names, URLs and User-Agent strings may vary between 
attacks. 

Additional known variants: 3026, 4F11. 

0682 - Collects basic system information: 

• List of running processes 

• Active desktop and terminal sessions 
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Collected information is then transmitted to a named pipe provided by the caller. 
Additional known variants: C0B7 


073C - Implements a complete Windows socket-based transport, both client and 
server side. Provides a class factory for the class that encapsulates various networking 
functions. 


0872 - MSI CustomAction library that is activated when the malicious installer package 
is started by the Windows Installer. Loads the encrypted binary blob that contains actual 
malicious payload, decrypts and then executes it in memory. 

The names in version information vary: svcmsi_32.dll, msi3_32.dll, MSI.dll, msi4_32.dll. 

Encryption algorithms also vary: Camellia 256, AES, XXTEA. 

The decryption key is extracted from an MSI parameter, possible names: PROP, 

HASHVA, CKEY. 

The encrypted blob is searched by prefixes (can vary): ActionData, CryptHashs, CAData. 

Both 32-bit and 64-bit versions are known. Additional known variants: 8D7C, 16EF, E6E5, 
434C, 44BD, F708. 


09A0 - 64-bit, Exfiltrates file contents, particularly searching for files matching these 
rules: 


• *.inuse, *hml 

• filename contains "data.hmi" or "val.dat" 

• files from the /Int/HMI/ or /LG/HM/ folders. 


align 10h 

Hml : 

Unicode G, chml^ f G 

Dat a_hmi : 

i0+ Unicode G, <data,hmi>,0 

align 10h 

Val_dat : 

|Q+ Unicode G, <val,dat> J 0 

InthHni: 


iG+ Unicode G, </Int/HMI/> J G 

db L 1 ,27*1,9,0 

LgHut : 

|0+ Unicode G, </LG/HM/>,0 

qvordJ.80G3F988 dq 19DBlDEDS3E8GG0h 
dvo rd_18GG3F99G dd i 

al 4 on a 


DATA XREF: sub_ 180 GlACS 8 + 750 io 

DATA XREF: sub 18001 BF 70 :loc 18001 C 021 To 


DATA XREF: SUb_ 18001 C 5 BC+lEio 

DATA XREF: SUb_ 18001 BF 70 +lFfo 

s ub_ 180 GlCl F 8 + 1 ETo 

sub 18001ClF8:lae 18G01C251io 


DATA XREF: sub_ 18001 AC 58 + 764 To 

DATA XREF; sub_ 18 G 023 DA 0 * 136 i r 
DATA XREF: sub 18 G 023 DAG+ 1 A 3 I r 


File and directory names of interest for the 09 AO plugin. 


Additional known variants: 8858 


0AB8 - Provides 25 functions for manipulating files and directories: 

• List files in directories 

• Upload and download arbitrary files 

• Read/write file contents 
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In several cases, the modules are looking specifically for directories named "\int", "\lg", "\ 
of\md", "\tl", "\ak" and files with extensions ".part", ".manual", ".inuse". 


Alldirs 

Downloadable 

Dig 

Explorer© 
asc 10017210 


db 1 all Dir s ', 0 
db 1 Downloadable ■> 0 
al i g n 1 Oh 
db 1 dLg 1 , 0 
d b 1 Explore r 1 , 0 
al i g n 1 Qh 
db ^',0 


align lOh 
dd offset Int 
dd offset Lg 
dd offset Tl 
dd offset Ak 
dd offset OfMd 
dd offset Int 


DATA XREF: sub_10003A3A+32f G 
DATA XREF: sub_10003C43+17i o 

DATA XREF: 5ub_1000409E+18To 
DATA XREF: s ub_l 0004329+ 2Dlo 

DATA XREF: sub_l 000455 A+lSTo sub_10( 
s u b_l 0007882+ 771 o s u b_l 0007882+ 88 1 o 
s u b_l 0008FE8+ 1 8l o 

“Wint ■ 

"Wig" 

" Wtl " 
u Wak“ 

“ Wof \\md n 
"Wint ,q 


File and directory names of interest for the 0AB8 plugin. 


Additional known variants: A69E. 


0B97 - Network transport. Implements API for connecting sockets and pipes provided 
by the caller. Additional variant: 56A2. 

152B - Network and domain discovery. 

• Enumerates all servers in the domain 

• Tries to connect to remote registries and enumerate all users in "HKEY_USERS". 
Usernames are then converted to SIDs 

• Enumerates all visible network shares 


Additional known variants: A987 

1C71 - In-memory storage. Receives and stores string data in file mappings. 

2125 - Network infection module. Tries to acquire administrative credentials from the 
running processes and then connect to a target machine using Windows shares. The 
machine is infected with a malicious DLL backdoor, the target directory varies and may 
be in UPDROOT$, ADMINS or C$. Uses custom SMB packets to identify the target OS 
version. The target malicious DLL is then started using a new service created with a name 
"svcmsi_32(a". The module communicates with the target backdoor via Windows pipes. 
Additional variant: DB65. Instead of the malicious DLL, it uploads a new MSI package and 
then relies on MSIEXEC.EXE to start the MSI via a newly created service named 
"msisvc_32<a", the target MSI name is generated randomly using a template "tmp%x. 
tmp". 

A service was installed in the system. 

Service Name: svcmsi_32@ 

Service File Name: msiexec /i %systemroot%Vtemp\tmp129deb0.tmp /q PROP=fa5d78ba-f17 
Service Type: user mode service 
Service Start Type: demand start 
Servi ce Accou nt: Local System 

Example of a Windows event log (System) entry created 
at the moment of infection. 

Administrative credentials are acquired by stealing a token from any running process that 
was started by a logged on user having domain administrator's rights. For that, it first 
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queries for the first 100 administrative usernames in the current domain directly from the 
domain controller. 


: CHAR net name N 
netname : 


Unicode 
align 4 


0 , 


Unicode 0, 
align lOh 
SAdminSystem32Msiexee_exe : 

Unicode 0, 
align lOh 
SAdminSysvov64Msiexec_exe : 

Unicode 0, 
align lOh 

; CHAR Admin [] 

Admin : 

Unicode 0, 
align lOh 

; char SC[ ] 

SC: 

Unicode 0, 
align 4 

1 char C_0( ] 

C_0: 

Unicode 0, 

; char C_l[ ] 

C_l: 

Unicode 0, 
align 4 

dvo r d_1000EA58 dd 0 
; char asc_1000EA5C[ ] 
asc 1000EA5C : 


Unicode 0, 

; char SIpc[ ] 

SIpc: 

Unicode 0, 

: vrhar t Srr 


<\\%s>,0 


; DATA XREF: sub_1000A90A+84To Select Connect Share+381 
; Select Connect Share :loc_100GAEB4to 
; SelectConnectShare + 47Alo 

<UPDROOT$> < 0 

; DATA XREF: CheckAccessToMsiexec+59lo 

<**s\ADMIN$\system32\msiexec . exe>, 0 

; DATA XREF: CheckAccessToMsiexec+68io 

<\s\ ADMIN$\syswow64\msiexec . exe>, G 


; DATA XREF: Select Connect Share+EFto 

<ADMIN$>, 0 


; DATA XREF: Select Connect Share+175fo 

<\\%s\%c$>, G 


; DATA XREF: Select Connect Share+189lo 

<rftc$>,G 

; DATA XREF: Select Connect Share+lA3to 

<%c : \>, G 

; DATA XREF: Select ConnectShare+39Elo 

; DATA XREF: Select ConnectShare+432lo 
; NetUseAddMisc+2Dio DoNetUseEnum+3Aio 

<\\%sVfcs>, 0 

; DATA XREF: NetUseAddIPC+36to 

<\\\s\IPC$>,0 


Remote locations used by the network infection module. 


24B7 - Remote desktop administration. Acquires the screenshots of the desktop but 
also can send input to the desktop, move the mouse cursor. Both 32-bit and 64-bit 
variants exist. Additional known variants: 65BE, 7795, BDC8, DEE2 


26D6 - Detects running network sniffers (wireshark, tcpview, netstat, dumpcap, 
perfmon); implements a TCP server and communicates via network pipes. Internal 
name: "P.dll". 


2829 - Collects system information 

• Monitors USB device attachment 

• Collects USB drive history 

• Enumerates network shares, windows captions, system routing tables 

• Reads/writes encrypted files 


2913 - WMI data collection 

• Enumerate profiles with SIDs 

• For each profile, extracts information from Ink files in the profile directory 

• Enumerate processes via WMI (CIMV2), including terminated processes 

• Extracts user information from available remote registries 

Additional known variant: C776 

29D4 - Service msisvc_32(a; DLL backdoor that is used for network infection by 
module 2125. Accepts commands via named pipe "Global\{B54E3268-DElE-4cle-A667- 
2596751403AD}". Both 32-bit and 64-bit variants exists. 
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Additional known variants: 6F92, A505, D242 


2B46 - Extensive collection of system and user information 

• Domain controller's name 

• List of users in the domain 

• Administrators of the domain 

• Enumerates domain trusts 

• TCP tables 

• UDP tables 

• SNMP discovery (OS, parse all replies) 

• USB drive history, mounted devices 

• Installed programs 

• Time zone 

• OS install date 

• ODBC.ini, SQL Server instance info, Oracle ALL_HOMES, SyBase, DB2, MS SQL, 

MySQL ast connections 

• DHCP/routing 

• Network profiles 

• Zero Config parameters 

• Connected printers 

• MRU list for WinRAR, WinZip, Office, IE typed URLs, mapped network drives, Visual 
Studio MRU 

• Terminal Service Client default username hint 

• User Assist history 

• PuTTY host keys and sessions 

• Logged on users 

• Network adapter configuration 

• VNC clients passwords 

• Scan the network and identify OS using SMB packet 


Hostname : 

Unicode 0 
align 4 

; DATA 

, <HostName>, 0 

XREF: 

sub_lGG08AFl+16lo 

Logf ilename : 

Unicode 0 

; DATA 

, <LogFileName>, 0 

XREF: 

s u b_l 0008 AF1 + 27 1 o 

Portnumber : 

Unicode 0 
align 4 

; DATA 

, <PortNumber>, 0 

XREF: 

sub_lGG08AFl+35lo 

Port forwardings 

Unicode 0 

; DATA 

, <PortForvardings>,0 

XREF: 

sub_lG008AFl+4Alo 

SSUSS: 

Unicode 0 
align 4 

; DATA 

, <*s - \s:\u I %s \s 

XREF: 

]>,G 

s u b_l 0008 AF1 + CC 1 o 

Softwa reSimont at hamPutt ySshhost key s : 

XREF: 

sub 1 0008C2B+ 59C 1 o 


Unicode 0, <Softvare\SimonTatham\PuTTY\SshHostKeys>, 0 
align 4 


SoftvareSimontathamPuttySessions: ; DATA XREF : sub_10008C2B+5BAio 

Unicode 0, <Softvare\SinionTatham\PuTTY\Sessions>, 0 
SoftvareMicrosoftWmdovsCurrent versionExplorerComdlg32File : DATA XREF: sub_10QG8C2B+45To 

Unicode 0, <Soft va re\Mic rosoft\Windovs\Cur rent Versa. on\Expl ore r\ComDlg> 
Unicode 0, <32\filemru>, 0 

SoftvareMicrosoftWindovsCur rent versionExplorerComdlg320pen : DATA XREF: sub_10008C2B+8ATo 

Unicode 0, <Soft va re\Microsoft\Windovs\Cur rent VersionXExpl ore r\ComDlg> 
Unicode 0, <32\0penSavePidlMRU>, 0 

SoftvareMicrosoftVisualstudio9_OFilemrulist : DATA XREF: sub_10008C2B+D4io 

Unicode 0, <Software\Microsoft\VisualStudio\9. 0\FileMRUList>, 0 
SoftvareMicrosoft Visual studio9_0Proj ectmrulist : : DATA XREF: sub_10008C2B+llETo 

Unicode 0, <Softvare\Microsoft\VisualStudio\9. 0\Proj ectMRUList >, 0 

Some of the registry locations harvested by the module. 
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Additional known variants: A7F8 

2BF7 - Utility DLL. Provides basic API for creating new MSI packages, loading and 
injecting arbitrary PE modules. Also responsible for loading the first level of the VFS 
inside the malicious MSI files. Both 32-bit and 64-bit versions exist. 

Known names: "ntdll.dll", "klif.dll", "apiset.dll". 

Additional known variants: 6DA1, 32DB, 8304, 9931, 9E60, A2D4, ABA9, B3BB, DC5F, 
DD32, F7BB 

3395 - MS SQL discovery module. Module can send ARP packets to network and 
discover MS SQL Server ports. Additional functions are responsible for connecting and 
reading of remote registry contents. 

35E9 - File system discovery. 

• Enumerate network shares 

• Enumerate local disks 

• Traverse files system hierarchy and enumerate files; identify reparse points 

3F45 - Pipe backdoor. Opens a new globally visible named Windows pipe, receives and 
executes encrypted commands. The "magic" string that identifies the encrypted protocol 
is "tttttttt". 

• Enumerates running processes 

• Loads and executes arbitrary PE files 

Both 32-bit and 64-bit versions exist. 

Known pipe names: 

• \\.\pipe\{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}\\.\pipe\{AB6172ED-8105- 
4996-9D2A-597B5F827501} 

• \\.\pipe\{0710880F-3A55-4A2D-AA67-1123384FD859}\\.\pipe\{6C51A4DB-E3DE- 
4FEB-86A4-32F7F8E73B99} 

• \\.\pipe\{7F9BCFC0-B36B-45EC-B377-D88597BE5D78}, \\.\pipe\{57D2DE92-CE17- 
4A57-BFD7-CD3C6E965C6A} 

Additional known variants: 6364, 3F8B, 5926, A90A, DDFO, A717, A36F, 8816, E85E, E927 
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4160 - Password stealer 


• Extracts Google Chrome and Firefox login data 

• LSA credentials 


aLign ^ 

Localappdats; : DATA XREF : sub_10Q0401 A+2 ETq 

Q+ Unicode 0, ocalappdalai%>, 0 

align 4 

Local; : DATA XREF: subJL000401A:lQC_10G040B7To 

Q Unicode O, <locat>,0 

align 8 

SGoogleChroneUserDartaDefaultLoginData : ; DATA XREF: sub_10G0401A+BDTo 

0+ Unicode Q, <%s\Google\Chroiie\Use r Data\Def aultlLogin Data>,G 

E+SelectUsername_valuePassvord_valueOrigin_urlFroniLogins db ' SELECT username val ue., passwordvalue* origir url FROM logins 1 , 0 

1+ DATA XREF: sub _1 0004153+59 To 

: _MEDIA_TYPE Unknown 

Unknown; : DATA XREF; s ubJL 0004511 ;loc_10O045A9 To 

0+ dw 3Ch 

Unicode Qj <Unknown> 


Data used to locate Chrome saved logins. 

Additional known variants: B656 


41E2 - Password stealer. 64-bit module. Extracts: 

• IE IntelliForms history 

• POP3/HTTP/IMAP passwords 

• TightVNC, RealVNC, WinVNC3/4 passwords 

• Outlook settings 

• SAM, LSASS cache 

• Windows Live, .Net Passport passwords 

CHAR Credenumerat ew[ ] 

t-Credenumeratev db " CredEnunerateW 1 , G ; DATA XREF; sub_BD6588+2Eto 
align lOh 
; CHAR Credf ree[ I 

Credf ree db 'CredFree\G ; DATA XREF ; sub BD6588+3EIO 

align 2Gh 

Microsoft_yininet : : DATA XREF; sub_BD6B88+C3lo 

► Unicode 0, <Microsoft_WinInet 0 

align lOh 

k Abe2869f 9b 474c d 9A398C229G4dba7f 7 db f abe2869f - 9b47- 4cd9- a358- e229G4dba7f 7 \ G 

k j DATA XREF: sub_BD6588+D3to 

align 20h 

Windows! i v e Na m e : ; DATA XREF: sub_BD6588+F6io 

k Unicode Q, ^WindowsLive : names*, D 

k align lOh 

_net Passport : ; DATA XREF: sub_BD6588-kA6fo 

Unicode 0, <,Net Passport G 

align lGh 

k_82bdGe679f ea47488672D5ef e5b779bG db 1 82BD0E67- 9FEA- 4748- 8672- D5EFE5B779B0 1 , G 
k ; DATA XREF: sub_BD6588+B6to 

align 20h 

A db ' A 1 , G ; DATA XREF: sub_BD69CG+26lo sub_BD69CG+ 

k align lOh 

dwo rd_BE1430 dd 2GGGG01Gh ; DATA XREF: sub_BD84CC+121 1 r sub_BD84CC 

db 0 

_ll_ n 

References to information collected by the module. 


Additional known variants: 992E, AF68, D49F 


482F - Collects system information. 

• Enumerates disk drives 

• Gets list of running processes 

• Extensive process information including uptime 
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• Memory information 

• SID information 


Additional known variants: F3F4 


559B - Active Directory survey. 


• Connects to the Active Directory Global Catalog ("GC:") using ADSI 

• Enumerates all objects in AD 

• Presents every entry in a human-readable format 

' v6 = ADs OpenOb j e ct < L " GC : " , v5, v3, lu, ist ru_100G30C8, ippObject); 

*a3 = 

if ( v6 >= Q ) 
f 

v7 = ADsBuildEnumerat or( ( lADsContainer ppQb] ect , LppEnum Variant 1 ; 

*a3 = v7; 
if f v7 >= 0 ) 

{ 

Variant Init ( fiipvarg J ; 

vS = ADsEnumerateNext ( ppEn urn Variant , lu, fiipvarg, LpcElementsFetched) . 
*a3 = v8; 

if ( v8 < 0 | 1 pcElementsFetched != 1 ) 

{ 

*v4 - -16; 

> 

else 

1 

*a3 = ( stdcall ***) ( LONG, IID int + ) ) pvarg .WalMpvarc 

Variant Cl ear( ipvarg) ; 
if ( * * a3 <c □ ) 

*v4 = -17; 

> 

} 

else 

{ 

*v4 = -15; 

> 

> 

else 

{ 

*v4 = -14; 

> 

if ( ppEnumVariant J 

ADsFreeEnume rat or (ppEnum Variant ) ; 

Active Directory enumeration routine. 


580C - Collects system and network information. 


• Retrieves the domain controller name 

• Enumerates all users and groups in the domain 

• Collects Task Scheduler logs 

• Collects disk information, removable device history 

• Retrieves firewall policies 

• Enumerates all named system objects 

• Enumerates all system services 
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5B78 - Collects system information and utilities. One of the two exported functions has 
a name "GetReport". 

• Enumerate running processes, extract tokens and SIDs, collect timing information 

• Logon users using explicit credentials 

• Impersonate users of running processes 

• Build new 32-bit and 64-bit shellcode stubs using a hardcoded template 

Both 32-bit and 64-bit versions exist. 

Additional known variants: E8C7, EE6E. 

5C66 - Encrypted file I/O, utilities 

• File I/O operations: open/seek/read/write 

• Manages compressed and encrypted temporary files 
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622B - Generate XML report about system using unique schema 


• Computer name 

• Windows directory 

• Enumerates all logical drives 

• Lists all files 

• OS serial number 

• Domain name 

• Network adapter configuration: IP addresses, MAC, MTU, adapter list 


Sinfoxml : ; DATA XREF: sub_100eB5DE+6Dio 

Unicode G, <\s_info , xml>, 0 

GatherMetadataError : ; DATA XREF: sub_10OGB5DE;loc_10QGB71Cto 

Unicode G, <Gather metadata errors 0 
Archive Errors rite Failed : j DATA XREF: su b_l 0OGB5DE+ 123 1 o 

Unicode G, <Archive error: writ e failed>,0 
ArchiveErrorEndFileFailed: j DATA XREF: su b_l GGGB5DE : 1 o c l G0GB746 1 o 

Unicode G, ^Archive error: end file failed>,G 
align 4 

unkJLOGGElDC db QFFh j DATA XREF: sub_lOO0B7Fl+9io 

db GFEh ; \ 

7 xml VersionlQ? : 

dv 3Ch 

Unicode G, *^?xml ve rsion= ”1.0" ?> 
dv 3Eh , GAh, G 
db g 

db 0 

5urveyresuttXmlnsXsilittpWww_v3_Grg2GQlXiiilscheniaInstan : : DATA XREF: sub_lG0OB7Fl+lATo 

dv 3Ch 

Unicode G, <SurveyResult xmlns : xsi="htt p : //wwv, w3, org/2Q01/XMLSchema-> 
Unicode G, ^instance" xmlns : xsd=" http : //ww,w3, org/2G01/XMLSchema"> 
dv 3Eh , GAh, G 


align 4 

UniqueidCompnameSBoot osse rial OBx Unique id 5: : DATA XREF: sub_1000B7Fl+35Ta 

Unicode G, < > 

dv 3Ch 

Unicode G, <UniqueID compname^ “ \s 11 boot OsSerial = '\08X" uniqueid=' , ^s" 
Unicode G, </> 
dv 3Eh j GAh, G 


Surveyresult : 

dv 3Ch 


DATA XREF: sub 10O0B5DE+EBto 


Unicode G, </SurveyResult> 
dv 3Eh j GAh, 0 


align 4 

True_Q: ; DATA XREF: SUb_lGGGB843+2Ato SUb_lGQGB843+AFt Q 

Unicode G, <true> # G 
al i g n 4 

; BoolValue False 

False: ; DATA XREF: sub_10OGB843+22lo sub_10OGB843+B4ro 

Unicode G, <false>,Q 
align 8 

ParametersDirsonlySMaxdepthU: ; DATA XREF: sub_10QGB843+33to 

Unicode Q, < > 
dv 3Ch 

Unicode G, <Parameters DirsOnly="*s" MaxDepth=' , %u' , > 
dv 3Eh, GAh, G 


align lOh 

TimefilterS: ; DATA XREF: sub_XGGGB843+50to 

Unicode G, < > 

dv 3Ch 

Unicode G, <Ti me Filter ^s /> 
dv 3 Eh - GAh . G 


XML tags used to generate the system report 


6302 - Utilities. Has internal name "d3dx9_27.dll". Executes timer-based events. 


Additional known variants: FA84 


669D - Utilities. Given a list of file names and directories, checks if they exist. 
Additional known variants: 880B 
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6914 - Sniffer-based network attacks. Uses a legitimate WinPcap driver "npf.sys". Detects 


NBNS (NetBIOS protocol) requests of interest and sends its own responses: 

• Responds to WPAD requests ("FHFAEBE" in NBNS packets) 

• Sends responses to HTTP GET requests 

The network filter is based on the BPF library. The payloads for the HTTP and WPAD 
responses are provided externally. 

St r2 ” db ‘GET ',0 ; DATA XREF sub_1000S6SE+90t o 

align 4 

Detect edGet Request FronSToS: ; DATA XREF: sub_10OG565E>F7f o 

Unicode 0 , <Detected GET request from **s to %s>, G 
align 10H 

No Mo reAttacksLe ft Not Responding : : DATA XREF: sub_10OG565E*HCio 

Unicode 0, <No more attacks left, not responding 0 
align lQh 

Se ntResponsePacketTo SForSAttacksLeft U : : DATA XREF: sub_10OG565E+21Aio 

Unicode 0 , <$ent response packet to for %s (attacks left = %u)>, 0 
align lQh 

; char Sub St r{ 3 

'SubSt r db 1 User -Agent: ',0 ; DATA XREF: sub_10005890+lto 

align lGh 

-Htt pl_l 2GQ0kCont ent TypeT e xt Ht ml Conne ct io nCl os eCon db 'HTTP/ 1.1 200 0K\GDh,GAh 

; DATA XREF: sub_lO0G58E2+F6f o 
db 1 Content -Type : t ext /html 1 , GDh, 0Ah 
db ' Connection : Cl ose ' , 0Dh t QAh 
db 1 Cent ent -Length: %d' J 0Dh,0Ah 
db 1 Accept -Ranges : none' jQDh, GAh 

db ' Cache - Cont rol : no -cache, no-store, must - revalidat e ' , 0Dh , GAh 
db 1 Pragma : no -cache ' , ODh, GAh 

db 'Expires: Wed, 21 Jan 1995 11:56:08 GMT 1 j QDh , GAh 
db QDh t GAh , G 
align 4 

NotWpad Request : ; DATA XREF: sub_10G05B52: loc_lG005CBAf o 

Unicode 0, <Not WPAD request >,G 
align lOh 

Detect edWpadRequest FromSToS: DATA XREF: sub_100Q5B52TCQl o 

Unicode 0, <Detected WPAD request from \s to Vs>, 0 
Sent Res pons ePacket ; ; DATA XREF: sub_lO0G5B52+150io 

Unicode <Sent response packets, 0 

Fake HTTP response and related status messages. 


6 FAC - File API 

• Get file size, attributes 

• Securely delete a file 

• Open/close/read/write file contents 

Additional known variants: A7EE 

7BDA - Collects system information 

• Current state of AV and firewall protection using wscapi.dll API 

• Detect if "sqlservr.exe" is running 

• Computer name 

• Workgroup info 

• Domain controller name 

• Network adapter configuration 

• Time and time zone information 

• CPU frequency 

Additional known variants: EF2E 
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7C23 - Extracts metadata from documents and collects system information 

• Computer name 

• System volume serial 

• Complete file API as in 6FAC 

Searches for documents and archives and implements routines to extract all valuable 

information from them: 

• E-mail messages: eml, msg 

• Image files: jpg, jpe, jpeg, tif, tiff, bmp, png 

• Multimedia files: wmv, avi, mpeg, mpg, m4a, mp4, mkv, wav, aac, ac3, dv, flac, 
flv, h264, mov, 3gp, 3g2, mj2, mp3, mpegts, ogg, asf. These are re-encoded with 
libffmpeg. 

• Contents from PDF documents 

• Microsoft Office: doc, docx, xlsx, pptx. Dedicated routines are called accordingly: 
"OfficeRipDoc", "OfficeRipDocx", "Office RipXlsx", "OfficeRipPptx". PPT slides are 
extracted and converted to a HTML digest of the presentation. 

• Archives: gz, gzip, gzX3, zip, rar 

Creates temporary files with extension ",fg4". 

Additional known variants: EB18, C091 


_docx : 

Unicode 

0, 

; DATA 

<. docx>, 0 

XREF: 

1001 0508 To 

_ppt x : 

Unicode 

0, 

; DATA 

<. ppt x>, 0 

XREF: 

10010514To 

_xlsx : 

Unicode 

0, 

; DATA 

<. xlsx>, 0 

XREF: 

1001 0520 To 

_zip: 

Unicode 

0, 

; DATA 

<. zip>, 0 

XREF: 

1001052CTo 

align 4 

_rar : 

Unicode 

0, 

; DATA 

<. rar>, 0 

XREF: 

1001 0538 To 

align 4 

; const WCHAR Gdiplus dll 

0 



Gdiplus_dll_0: 


; DATA 

XREF: 

sub_1000AAAC 

Unicode 

0, 

<GdiPlus . dll>, 0 



; const WCHAR ImageJpeg 

Image Jpeg : 

Unicode 

0, 

j DATA 

<image/j peg>, 0 

XREF: 

sub_1000A8DC 

align 4 

asc_10013978: 


; DATA 

XREF: 

sub_1000AD7C 

Unicode 

0 , 

<fts\\s>, 0 



GatheringRarS: 


; DATA 

XREF: 

sub_1000AD7C 

Unicode 

0, 

<Gathering Rar: \s>, 

0 


Rar : 

Unicode 

0, 

; DATA 

<Rar>, 0 

XREF: 

sub_1000AD7C 

Rar_error_D: 

Unicode 
align 4 

0 , 

; DATA 

<RAR_ERR0R_*. d > , 0 

XREF: 

sub_1000AD7C 

; const WCHAR Ooxml 

Ooxml : 


; DATA 

XREF: 

sub_1000B25C 

Unicode 

o. 

<00XML>, 0 



; const WCHAR String 

St ring : 


; DATA 

XREF: 

sub_1000B31C 


; sub_1000B310+8Dio sub_] 
; sub_100GB31 0+11 Flo sub. 

Unicode 0, <\>,0 


; const WCHAR Image 

Image: ; DATA XREF: sub_1000B8AC 

Unicode 0, <lmage>,0 
; const WCHAR Ffmpeg 

Ffmpeg : ; DATA XREF: sub_1000B9BC 

► Unicode 0, <ffmpeg>,0 
align 4 

RunningLibff mpegS: ; DATA XREF: sub_1000B9BC 

► Unicode 0, <Running libffmpeg: > 


Part of the list of file extensions of interest and corresponding status messages. 
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8172 - Sniffer-based network attacks. Performs NBNS (NetBIOS protocol) name 
resolution spoofing for: 

• WPAD requests 

• Names starting with "SHR" 

• Names starting with "3142" (log only) 


Detect edShrRequestFromSToS: : DATA XREF: SHRRequest+91lo 

*■ Unicode 0, ^Detected SHR request ■from \s to %s>j0 

align 4 

Sent ShrResponsePacket : j DATA XREF ; SHRRequest+122lo 

*■ Unicode Qj ^Sent SHR response packets*, G 

align lOh 

Got Unexpect edErrorWhile Running ; : DATA XREF: SHRRequest : 1 gc_1QOG5FA5To 

fr unxcode 0, <Got unexpected error while running> J 0 

align 4 

Det ect ed Log 3142C : ; DATA XREF : Log 3142+40 ic 

*■ Unicode 0, ^Detected Log: 3142%C>,Q 

align 4 

Detected LogS: : DATA XREF: sub_XGG06D77+DSlo 

f Unicode Qj ^Detected Log; \S> J Q 

align 4 

; const WCHAR String 

String: : DATA XREF: sub_lGQQ72CB+E i a sublGOG 

; lQ0213FCio 

*■ Unicode 0, <se rvices . exe>, G 

align 4 

; char Str2[] 

Str2 db 'GET 10 : DATA XREF: Det ect Repl y GET +71 To 

align lQh 

Det ect edGet Request FronSToS: DATA XREF; Det ect Reply GET+E3To 

t- Unicode Qj ^Detected GET request from %s to \s>jO 

align 4 

No Mo re AttacksLeft Not Responding : DATA XREF: Det ect Repl y GET+lGSio 

fr Unicode G, <No more attacks left, not responding Q 

align 4 

SentResponsePacketToSForUriSAttacksLeftU; ; DATA XREF: DetectReplyGET+213lo 
*■ Unicode Q, <Sent response packet to > 

*■ dv 27h 

*■ Unicode Qj ^.s> 

f dw 27h 

* Unicode Gj < for URI > 

t- dw 27h 

*■ Unicode Gj 

f dw 27h 

*■ Unicode G, < (attacks left = *;□)>., G 

Status messages related to the attack. 

Additional feature: the module can build new shellcode blobs from hardcoded templates. 


81B7 - Driver management 


Write driver to disk 
Start/stop driver 

Safely remove the driver's file from disk 


Additional known variants: C1B9 
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8446 - Oracle DB and ADOdb client. 

• Uses "oci.dll" API to access Oracle databases 

• Extracts all available information from the database 

• Also connects to ADOdb providers 


Gj 43koDdi : 
Table_04d_bin : 

Table_bin : 

Db; 

byt e_lQ010CF0 


j DATA XREF: sub_10GG4D26+lBio 

Unicode 0, <GJ43K0-\dDI> J 0 

1 DATA XREF: sub_10005Q6G+4Aio 

Unicode 0, <tablejt04d . bin>, G 
align 4 

2 DATA XREF: sub_10GG519E+8£ i o 

Unicode 0, <t able . bin>, G 

j DATA XREF: sub_10G07AFG+BC T o 

Unicode 0, <06^,0 
align ioh 
db 8 dup£G) 


j DATA XREF: sub_10G0579E+42?o sub_100OG2S7+Fllo 
j s u b_l G 007 AF0+ 23 1 o 

Alt erSes si onSet Cursorbindcapt uredest mat ionOf f : : DATA XREF: sub_lG0O59E7+59lo 

Unicode G, waiter session set cursorbindcapt uredestinat ion = off> J 0 
AlterSessionSetCursor_sharingForce: j DATA XREF: sub_lOG06257+12lo 

Unicode 0, <alter session set cursor_sharing = force> J Q 
align lGh 

Al t e r Ses si o nSet ISTL s_d at e_f o r m at Dd MmYy y y Hh 24MiSs : DATA XREF: sub_10GO6257+34io 

Unicode 0, <alter session set nls_date_fonrat = > 
dw 27h 

Unicode 0, <dd/mm/yyyy hh24: mi : ss> 
dw 27h, G 
align 8 

BeginDbms_applicat ioninf osetmoduleSSEnd : : DATA XREF: sub_IG0Q6257+12A.To 

Unicode 0, <BEGIN dbmsapplicat ion inf o . set modulet :> 
dw 27h 

Unicode 0, <^s> 
dw 27h 

Unicode 0, > 

dw 27h 
Unicode 0, 
dw 27h 

Unicode 0, <\ ; END; G 
align IQh 

BegmDbms applicat ion inf o set client infoSEnd : DATA XREF: sub_10Q062B7+15Efo 

Unicode 0„ <BEGIN dbmsapplicat loninfo , set client inf o( ^ 
dw 27h 

Unicode 0, <%s> 
dw 27h 

Unicode 0, <) ; END;>,G 

Alt erSes si onSet Cur rent schemaS: j DATA -'REF; sub 10G062S7+19Elo 


SQL queries and related data. 


8912 - Encrypted file manipulation and collects system information 

• Shared file mapping communication 

• Write encrypted data to files 

• Enumerate windows 

• Enumerate network shares and local disks 

• Retrieve USB device history 

• Collect network routing table 

Known mutex and mapping names: 

• Global\{DD0FF599-FAlB-4DED-AC70-C0451F4B98F0} Global\{B12F87CA-lEBA- 
4365-B90C-E2A1D8911CA9}, 

• Global\{B03A79AD-BA3A-4BFl-9A59-A9AlC57A3034} Global\{6D2104E6-7310- 
4A65-9EDD-F06E91747790}, 

• Global\{DD0FF599-FAlB-4DED-AC70-C0451F4B98F0} Global\{B12F87CA-lEBA- 
4365-B90C-E2A1D8911CA9} 
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Additional known variants: D19F, D2EE 


9224 - Run console applications. Creates processes using desktop "Default", attaches to 
its console and redirects its I/O to named pipes. 


92DB - Modified cmd.exe shell. 


; wchar t 

Else 



Else : 


Unicode 0, 
align 4 

<ELSE>. 0 

; wchar_t 
Date : 

Date 

Unicode 0, 
align 4 

<DATE> , G 



Unicode 0, 

< : > 

asc 42050C : 





Unicode 0, 
align 4 

<\*>,0 

; const WCHAR Comspec 


Comspec : 


Unicode 0, 

<C0MSPEC>, 0 

; wchar_t 
Rem : 

Rem 

Unicode 0, 

<REM> J 0 

Chdir_G: 






Unicode 0, 

<CHDIR>, 0 

; wchar t 

Cd_0 



Cd_0: 






Unicode 0, 
align lOh 

<CD>, 0 

Cmd_exe: 


Unicode 0, 
align 4 

<\CMD . EXE>, 0 

Vol : 


Unicode 0, 

<V0L>, 0 

j const WCHAR Path 


Path: 


Unicode 0, 
align 4 

<PATH> , 0 

j wchar t 

Time 



Time: 


Unicode 0. 
align 4 

<TI ME> , 0 

Set : 


Unicode 0, 

<SET>, 0 


DATA XREF : sub_410Dll+108i o 

DATA XREF: sub_406D5C :loc_406E09io 00420AC0jo 

DATA XREF: sub_4155FE+9io sub_4155FE:loc_415822to 

DATA XREF: sub 408046:loc_4080C2To 
sub_40BD53 :loc~40BEOOTo sub_40BD53+162To 
sub_40DB6D+D2?o sub_41B01B+6Fl To 

DATA XREF: sub_410E701Eio sub_4111A7+6Bto 004200A8,i< 
DATA XREF: 00420 A30JO 

DATA XREF: sub_406D5C+44io OO42OAI840 

DATA XREF: sub_40BD53+105to sub_40BD53+Dl 10 
sub_40BD53 : l oc_40BE7F 1 0 0041D71Clo 

DATA XREF: 00420010*0 

DATA XREF: sub_40646D+39io sub_40646D+70 10 
sub_40646D+83?o sub_408046+304 To sub_40BD53+53to 

DATA XREF: sub_406D5C:loc_406E34io 00420AD8*o 
DATA XREF: 00420 A90*o 


Several CMD commands processed by the shell. 


9F0D (64-bit), DlA3(32-bit) - legitimate signed driver NPF.SYS (WinPcap) distributed 
inside the VFS along with the plugins. It is used for sniffer-based network attacks. 

A4B0 - Network survey 

• Uses DHCP Server Management API (DHCPSAPI.DLL) to enumerate all DHCP server's 
clients 

• Queries all known DHCP sub-networks 

• Searches for machines that have ports UDP 1434 or 137 open 

• Enumerates all network servers 

• Enumerates network shares 

• Tries to connect to remote registries to enumerate all users in HKEY_USERS, converts 
them to SIDs 


B6C1 - WNet API. Provides wrappers for the WnetAddConnection2 and WNetOpenEnum 
functions. 

Additional known variants: BC4A 
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C25B - Sniffer based network attacks. Implements a fake SMB server to trick other 
machines to authenticate with NTLM. 


Implements basic SMB vl commands 


dvord 10013340 

dd 

72h 



; DATA XREF; sub_10QG' 

of f_10013344 

dd 

offset 

smb_ 

_cmd_ 

_negotiate ; DATA XREF: sub_ 


dd 

73h 





dd 

offset 

SMB_ 

COM 

SESSI 0NSETUPA1NDX 


dd 

2Bh 





dd 

offset 

SMB 

COM 

_ECHG 


dd 

75h 





dd 

offset 

SMB 

COM 

_T REE_ C ON NECT_ AND X 


dd 

GA2h 





dd 

offset 

5MB_ 

COM 

_ffT_CRE AT E_ AN DX 


dd 

GAOh 





dd 

offset 

SMB_ 

_C0M_ 

NTJRANSACT 


dd 

32h 





dd 

offset 

SMB_ 

_COM_ 

TRANS ACTI0N2 


dd 

2 Eh 





dd 

offset 

SMB_ 

_C0M_ 

_READ__ANDX 


dd 

GBh 





dd 

offset 

SMB_ 

_C0M_ 

WRITE 


dd 

2Ph 





dd 

offset 

SMB 

COM 

_WRITE_ANDX 


dd 

4 





dd 

offset 

SMB_ 

COM 

CLOSE 


dd 

71h 





dd 

offset 

SMB_ 

_C0M_ 

_T REE_ DISC ONN ECT 


dd 

74h 





dd 

offset 

SMB_ 

_CQM_ 

_L0GGFF_ANDX 


dd 

G 





SMB commands handled by the module 


• Pretends to have IPC$ and A: shares 

• Accepts user authentication requests 

• Also handles HTTP "GET /" requests 

; char Device! ] 


Device 

db p \Device\',G 
align lQh 

; DATA 

XREF: 

Select Adapte r+I53ic 

; char MtLmG 12[ ] 




Nft Lffl Q_1 2 

db 'NT LM Q. 12' j 0 
align 4 

j DATA 

XREF: 

sfflb_cnd_negotiat e+9Elo 

i+challenge 

db 6Ch, 5Bh, 4, 86h, 

ODh , GC2h a 

QDBh, 

. OEh, 0E4h , 65h, 51 h, OE5h t GCDh 



J DATA 

XREF: 

smb_«md_riegotiat e+18F!o 


db 4 dup< 01 




SMB1 

db O 

; DATA 

XREF: 

SMB_C0M_SE5SI 0M_5ETUP_ ANDX + 7B ! o 

Windows ; 





i+ 

Unicode Gj <Windows> 
db 2Qh, 5, 0, 2Eh, 1, 

3 dup(G) 



Windows_Q: 





i+ 

Unicode G, <Windows> 
db 20h, 2j 4 dup(O) 




LanManager : 





14 

Unicode G, < LAM Manager* 




db G 




; wchar_t I pc 


j DATA 

XREF: 


Ipc : 

Unicode G, <IPC$>j0 
align lGh 

SMB_COM_TREE_CONNECT_ANDX+ D5I e 





lpc_0 

db P IPC;\G 
align 4 

J DATA 

XREF: 

3MB_C0M_TPEE_C0NNECT_ANDX+ FQfc 

A 

db 'A: 1 ,G 

j DATA 

XREF: 

SMB_COM_TREE_CONNECT_ANDX+ 11 A l 0 

Fat : 

Unicode G, <FAT> J Q 
db G 





NTLM challenge and SMB server data 
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ED92 - File system survey 

• Enumerates all local drives and connected network shares 

• Lists files 

EF97 - Filesystem utilities 

• Enumerate files 

• Create and remove directories 

• Copy/move/delete files and directories 

• Extract version information from files 

• Calculate file hashes 

Additional known variants: F71E 


PERSISTENCE MECHANISM 


The Duqu 2.0 malware platform was designed in a way that survives almost exclusively 
in memory of the infected systems, without need for persistence. To achieve this, the 
attackers infect servers with high uptime and then re-infect any machines in the domain 
that get disinfected by reboots. Surviving exclusively in memory while running kernel 
level code through exploits is a testimony to the technical prowess of the group. In 
essence, the attackers were confident enough they can survive within an entire network 
of compromised computers without relying on any persistence mechanism at all. 

The reason why there is no persistence with Duqu 2.0 is probably because the attackers 
wanted to stay under the radar as much as possible. Most modern anti-APT technologies 
can pinpoint anomalies on the disk, such as rare drivers, unsigned programs or 
maliciously-acting programs. Additionally, a system where the malware survives reboot 
can be imaged and then analyzed thoroughly at a later time. With Duqu 2.0, forensic 
analysis of infected systems is extremely difficult - one needs to grab memory snapshots 
of infected machines and then identify the infection in memory. 

However, this mechanism has one weakness; in case of a massive power failure, all 
computers will reboot and the malware will be eradicated. To get around this problem, 
the attackers have another solution - they deploy drivers to a small number of 
computers, with direct Internet connectivity. These drivers can tunnel traffic from the 
outside into the network, allowing the attackers to access remote desktop sessions or 
to connect to servers inside the domain by using previously acquired credentials. Using 
these credentials, they can re-deploy the entire platform following a massive power loss. 

COMMAND AND CONTROL MECHANISMS 


Duqu 2.0 uses a sophisticated and highly flexible command-and-control mechanism that 
builds on top of the 2011 variant, with new features that appear to have been inspired 
by other top class malware such as Regin. This includes the usage of network pipes and 
mailslots, raw filtering of network traffic and masking C&C traffic inside image files. 
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Inside a Windows LAN, newly infected clients may not have a C&C hardcoded in their 
installation MSI packages. Without a C&C, they are in "dormant" state and can be 
activated by the attackers over SMB network pipes with a special TCP/IP packet that 
contains the magic string "tttttttttttttttt". If a C&C is included in the configuration part of 
the MSI file, this can be either a local IP address, which serves as a bouncing point or an 
external IP address. As a general strategy for infection, the attackers identify servers with 
high uptime and set them as intermediary C&C points. Hence, an infected machine can 
jump between several internal servers in the LAN before reaching out to the Internet. 

To connect the the C&C servers, both 2011 and 2014/2015 versions of Duqu can hide the 
traffic as encrypted data appended to a harmless image file. The 2011 version used a 
JPEG file for this; the new version can use either a GIF file or a JPEG file. Here's how 
these image files look like: 



Another modification to the 2014/2015 variants is the addition of multiple user agent 
strings for the HTTP communication. The 2011 used the following user agent string: 

• Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.9) Gecko/20100824 
Firefox/3.6.9 (.NET CLR 3.5.30729) 

The new variants will randomly select an user agent string from a table of 53 different 
possible ones. 
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Another unusual C&C mechanism relies on driver files that are used to tunnel the C&C 
communications and attacker's RDP/SMB activity into the network. The attackers deploy 
such translation drivers on servers with direct Internet connectivity. Through a knocking 
mechanism, the attackers can activate the translation mechanism for their IPs and tunnel 
their traffic directly into the LAN. Outside the LAN, the traffic can be masked over port 
443; inside the LAN, it can be either direct SMB/RDP or it can be further translated over 
fake TCP/IP packets to IP 8. 8. 8. 8. 

During our investigation, we observed several such drivers. A description can be found 
below. 

The "portserv.sys" driver analysis 

MD5: 2751e4b50a08eblla84d03f8eb580a4e 




IP Knocking by 
Magic string 



Packet forwarding SYS driver 



Implant runs only in memory 


Implant runs only in memory 


Domain controller 


Terminal server 





000 

1 1 1 


GREAT KA$PGR$KYi 


Size: 14336 

Compiled: Sat Feb 11 21:55:30 2006 (fake timestamp) 

Internal name: termport.sys 

Type: Win32 device driver (a 64 bit version is known as well) 
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This is a malicious NDIS filter driver designed to perform manipulation of TCP/IP packets 
to allow the attacker to access internal servers in the victim's infrastructure. 

Upon startup, the filter driver hooks into the NDIS stack and starts processing TCP/IP 
packets. 

To leverage the driver, the attacker first sends a special TCP/IP packet with the string 
"romanian.antihacker" to any of the hardcoded IPs belonging to infected server. In 
general, such servers are computers with direct Internet connectivity, such as a 
Webserver or a proxy. The driver sees the packet, recognizes the magic string "romanian. 
antihacker" and saves the attacker's IP for later use. 



Magic string used for knocking inside the driver. 


When a packet comes from the attacker's IP (saved before), the following logic applies: 

• Packet to server l's IP on port 443, is redirected on port 445 (Samba/Windows file 
system) 

• Packet from server l's IP from port 445, is redirected to attacker's IP port 443 

• Packet to server 2's IP on port 443 is redirected on port 3389 (Remote Desktop) 

• Packet from server 2's IP from port 3389 is redirected to attacker's IP port 443 

This effectively allows the attackers to tunnel SMB (remote file system access) and 
Remote Desktop into these two servers while making it look like SSL traffic (port 443). 

These drivers allow the Duqu attackers to easily access servers inside the LAN from 
remote, including tunneling RDP sessions over Port 443 (normally SSL). It also gives them 
a persistence mechanism that allows them to return even if all the infected machines 
with the malware in memory are rebooted. The attackers can simply use existing 
credentials to log back into any of the servers that the driver is serving and can re- 
initialize the backdoors from there. 
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SIMILARITIES BETWEEN 
DUQU AND DUQU 2.0 


The 2014/2015 Duqu 2.0 is a greatly enhanced version of the 2011 Duqu malware 
discovered by 7 CrySyS Lab. It includes many new ideas from modern malware, such as 
Regin, but also lateral movement strategies and harvesting capabilities which surpasses 
commonly seen malware from other APT attacks. 


Side by side: 


Number of victims: 
Persistence mechanism: 
Loader: 

Zero-days used: 

Main storage: 

C&C mechanism: 

Known plugins: 


2011 Duqu 

<50 (estimated) 

Yes 

SYS driver 
Yes 

PNF (custom) files 
HTTP/HTTPS, network pipes 
6 


2014/2015 Duqu 2.0 

<100 (estimated) 

No 

MSI file 
Yes 

MSI files 

HTTP/HTTPS, network pipes 
>100 


There are many similarities in the code that leads us to conclusion that Duqu 2.0 was 
built on top of the original source code of Duqu. Those interested can read below for a 
technical description of these similarities. 


7 https://www.crvsvs.hu/pubiications/fiies/bencsathPBFllduqu.pdf 
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One of the "trademark" features unique to the original Duqu was the set of functions that 
provide logging facilities. Unlike many other APTs, Duqu logs almost every important step 
of its activity but does it in a special way: there are no readable strings written to the log. 
Instead, a series of unique numbers identify every state, error, or message in the log. 
Comparing the functions that generate every log entry in Duqu and Duqu 2.0, we can 
conclude that they are almost identical: 


0000:1 001 5F25 

0000:1 001 5F25 
0000: 1001 5F25 
0000: 1001 5F25 
0000: 10015F25 
0000: 1001 5F26 
0000: 10015F28 
0000: 1001 5F29 
0000:1 001 5F2F 
0000: 1001 5F32 
0000:1 001 5F34 
0000: 1001 5F3A 
0000: 1001 5F3F 
0000: 1001 5F41 
0000: 1001 5F42 
0000: 10015F48 
0000: 1001 5F4 A 
0000:1 001 5F4C 
0000: 1001 5F4C 
0000:1 001 5F4C 
0000: 1001 5F4C 
0000:1 001 5F4D 
0000: 1001 5F52 
0000: 10015F54 
0000: 1001 5F56 
0000: 1001 5F58 
0000: 10015F59 
0000: 1001 5F5F 
0000:1 001 5F61 
0000 : 10015F63 
0000:1 001 5F63 
0000: 1001 5F63 
0000: 1001 5F63 
0000: 10015F66 
0000: 1001 5F68 
0000: 10015F6B 
0000: 1001 5F6E 
0000:1 001 5F71 
0000 : 10015F74 
0000:1 001 5F77 
0000: 10015F7A 
0000: 1001 5F7D 
0000: 1001 5F80 
0000: 1001 5F86 
0000: 10015F87 
0000: 1001 5F8D 
0000:1 001 5F91 
0000: 10015F93 
0000:1 001 5F96 
0000: 10015F99 
0000: 1001 5F9 A 
0000: 1001 5F A0 
0000: 10015FA0 
0000: 1001 5F A0 
0000: 1001 5FA1 
0000:1 001 5FA7 
0000: 1001 5FA9 
0000:1 001 5FA9 
0000: 1001 5FA9 
0000: 1001 5F A A 
0000 : 10015FAA 
0000: 1001 5F A A 
0000: 1001 5FAB 
0000: 10015FAC 
0000: 10015FAC 


arg_C 

IpSt ring2 
arg_14 


= dword ptr 

= dword ptr 
= byte ptr 


14h 

18h 

ICh 


1002CDF5 

1002CDF5 

1002CDF5 

1002CDF5 


push ebp 

mov ebp, esp 

push edi 

call ds: imp Get Last Error@0 Get Last Error! ) 

push [ ebp+lpSt ring2] \ IpString 

mov edi, eax 

call ds:lstrlenW 

cmp eax, 400h 

jb short loc_10015F4C 

push edi ; dwErrCode 

call ds: imp Set Last Error@4 ; Set Last Error! x ) 


1002CDF5 

1002CDF6 

1002CDF8 

1002CDF9 

1002CDFA 

1002CDFB 

1002CDFE 

1002CE01 

1002CE07 

1002CE0A 

1002CE0C 


xor eax, eax 

jmp short loc_10015FAA 


loc_10015F4C: ; CODE XREF: classl7_ctor_f rom_st ring_and_dat 

push esi 

call classl7_ctor 

mov esi, eax 

test esi, esi 

jnz short loc_10015F63 

push edi ; dwErrCode 

call ds: imp Set Last Error@4 : Set Last Error! x) 

xor eax, eax 

jmp short loc_10015FA9 


loc_10015F63: ; CODE XREF: classl7_ctor_f rom_st ring_and_dat 

mov eax, [ebp+arg_0] 

mov dword ptr ds: (_class_17. inti - _class_17. inti) [ esi] , eax 
mov eax, [ebp+arg_4] 

mov ds: (_class_17.int2 - _class_17. inti) [ esi] , eax : log entry 
mov eax, [ebp+arg_8] 

mov ds : (_class_17. int3 - _class_17. inti) [esi] , eax : log entry I 
mov eax, [ebp+arg_C] 

mov ds : (_class_17. int4 - _class_17. inti) [esi] , eax ; log entry 
mov al, [ebp+arg_14] 

mov byte ptr ds : (_class_17. byte - _class_17. inti) [ esi] , al ; log 3 

lea eax, (_class_17. FileTime - _class_17. inti) [ esi] ; log entry 

push eax ; IpSystemTimeAsFileTime 

call ds : Get SystemTimeAsFil eTime 

cmp [ ebp+lpSt ring2] , 0 

jz short loc_10015FAO 

push [ebp+lpString2] ; lpString2 

lea eax, (_class_17. st ring - _class_17. inti) [ esi] ; log entry 
push eax ; IpStringl 

call ds:lstrcpyW 


loc_10015FAO: 


; CODE XREF: classl7_ctor_f rom_st ring_and_dat 
push edi ; dwErrCode 

call ds: imp Set Last Error@4 ; Set Last Error! x ) 

mov eax, esi 


loc 10015FA9: 


loc_10015FAA: 


pop edi 

pop ebp 


cl assl7_ct o r_f rom_st ring_and_dat e end,. 


; CODE XREF: classl7_ctor_f rom_st ring_and_dat 

Duqu 2011 


1002CE12 

1002CE17 

1002CE19 

1002CE1A 

1002CE20 

1002CE22 

1002CE24 

1002CE24 

1002CE24 

1002CE25 

1002CE2A 

1002CE2C 

1002CE2E 

1002CE30 

1002CE31 

1002CE37 

1002CE39 

1002CE3B 

1002CE3B 

1002CE3B 

1002CE3E 

1002CE40 

1002CE43 

1002CE46 

1002CE49 

1002CE4C 

1002CE4F 

1002CE52 

1002CE55 

1002CE58 

1002CE5E 

1002CE5F 

1002CE65 

1002CE69 

1002CE6B 

1002CE6E 

1002CE71 

1002CE72 

1002CE78 

1002CE78 

1002CE79 

1002CE7F 

1002CE81 

1002CE81 

1002CE82 

1002CE82 

1002CE83 

1002CE85 

1002CE86 

1002CE86 


arg_0 

arg_4 

IpString 

arg_C 


loc_1002CE24: 


loc_1002CE3B: 


loc_1002CE78: 


loc_1002CE81: 

loc_1002CE82: 


Log 


= dword ptr 8 
= dword ptr OCh 
= dword ptr lOh 
= byte ptr 14h 
push ebp 

mov ebp, esp 

push ecx 

push ecx 

push edi 

mov [ebp+var_8], edx 

mov [ebp+var_4], ecx 

call cGet Last Error 

push [ ebp+lpSt ring] ; IpString 

mov edi, eax 

call clstrlenW 

cmp eax, 400h 

jb short loc_1002CE24 

push edi ; dwErrCode 

call cSetLastError 

xor eax, eax 

jmp short loc_1002CE82 


; CODE XREF: Log+22ij 

push esi 

call sub_1002CDDB 

mov esi, eax 

test esi, esi 

jnz short loc_1002CE3B 

push edi ; dwErrCode 

call cSetLastError 

xor eax, eax 

jmp short loc_1002CE81 


mov 

mov 

mov 

mov 

mov 

mov 

mov 

mov 

mov 

lea 

push 

call 

cmp 

jz 

push 

lea 

push 

call 

push 

call 


pop 

pop 

mov 

pop 

retn 

endp 


; CODE XREF: Log+39Tj 

eax, [ebp+var_4] 

[esi], eax 
eax, [ebp+var_8] 

[esi+4], eax 
eax, [ebp+arg_0] 

[esi+8], eax 
eax, [ebp+arg_4] 

[esi+OCh], eax 
al, [ebp+arg_C] 

[esi+14h], al 
eax, [ esi+818h] 

eax ; IpSystemTimeAsFileTime 

cGet SystemTimeAsFil eTime 

[ ebp+lpSt ring] , 0 

short loc_1002CE78 

[ebp+lpSt ring] ; lpString2 

eax, [esi+16h] 

eax ; IpStringl 

clstrcpyW 

; CODE XREF: Log+74Tj 
edi : dwErrCode 

cSetLastError 
eax, esi 

; CODE XREF: Log+44ij 

iDuqu 2015 


The first generation of Duqu was also written in a very rare and unique manner. It was 
compiled with Visual Studio and while parts of it were definitely written in C++, the 
majority of its classes were not natively generated by the C++ compiler. After analyzing 
all the possible variants, we conclude that these classes were written in OO-C, the 
objective variant of the C language, and then somehow converted into a compilable C / 
C++ source. All these classes had a very specific feature: the virtual function table of 
every instance was filled "by hand" in its constructor. Interestingly, this is no longer the 
case for Duqu 2.0. The authors upgraded their compiler from Visual Studio 2008 (used in 
2011) to Visual Studio 2013 and now use classes that look much more like native C++ 
ones: 


0000 : 10015EF6 

0000 : 10015EF6 cl assl7_ct o r 

0000 : 10015EF6 

0000 : 10015EF6 

0000 : 10015EFB 

0000 : 10015F00 

0000 : 10015F01 

0000 : 10015F03 

0000 : 10015F05 

0000 : 1001 5F06 : 

0000 : 10015F06 

0000 : 10015F06 loc_10015F06: 

0000 : 10015F06 

0000: 1001 5F10 

0000 : 10015F1A 

0000 : 10015F24 

0000 : 10015F24 classl7_ctor 

0000 : 10015F24 


: CODE XREF: classl§ 
: classl7_ctor_f 
: dvBytes 


short 1 oc_10015F06 


ds : (_clas 
ds: (_cla; 
ds: (_cla* 


:_buffer - _class 
>m_buffer - - _clas 
_class_17. inti) [ e 


17. inti) [eax] , offset classl7_copy_out_buff< 
i_17. inti j [eax] , offset classl7_ctor_f rom_buf 
ix], offset generie_dtor : log entry 


1002CDDB log_item_ct or 

1002CDDB 

1002CDE0 

1002CDE5 

1002CDE7 

1002CDE9 

1002CDEA : 

1002CDEA \K IWflPEAi 


call 


Alloc 
short loc 


i SOPS ABET; Iflfl itsm 6 tajr*Ci 1 

ax+820h], offset log item vtbl 


n vtbl dd offset copy_out_buffer : 

dd offset ctor_f rom_buffer 
dd offset j Free 


On the left: the "hand-made" or "compiler-assisted" classed of OO-C in Duqu. 

On the right: the same class in Duqu 2.0 has a native Vtable similar to native C++ one , 
however the offset of the pointer is not zero. 
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The more concrete evidence of similarity can be found if we look for functions that 
actually use the logging facilities. The authors kept using the same unique numbers for 
identification of internal states, errors and function results. Networking functions are 
good candidates for comparison: 


0000 : 1000FD05 var_4_some_ob] ? = dvord ptr -4 
0000 : 1000FD05 arg_listen_address= dvord ptr 8 
0000 : 1000FD05 arg_accept_port = word ptr OCh 
0000 : 1000FD05 


0000 : 1000FD05 

push 

ebp 


0000 : 1000FD06 

mov 

ebp, esp 


0000 : 1000FD08 

push 

ecx 


0000 : 1000FD09 

push 

ebx 


0000 : 1000FD0A 

push 

esi 


0000 : 1000FD0B 

push 

edi 


0000 : 1000FD0C 

mov 

edi, eax 


0000 : 1000FD0E 

call 

do_WSAStartup 


0000 : 1000FD13 

test 

eax, eax 


0000 : 1000FD15 

jz 

loc 1000FDCA 


0000 : 1000FD1B 

push 

9Ch 

; dvByt es 

0000 : 1000FD20 

call 

new 


0000 : 1000FD25 

mov 

esi, eax 


0000 : 1000FD27 

pop 

ecx 


0000 : 1000FD28 

test 

esi, esi 


0000 : 1000FD2A 

jz 

loc_1000FDCA 


0000 : 1000FD30 

push 

edi 

; DWORD 

0000 : 1000FD31 

call 

[edi+class 12. make classll] 

0000 : 1000FD34 

pop 

ecx 


0000 : 1000FD35 


[ esi+cl ass_18. p_ 

classll], eax 

0000 : 1000FD38 

test 

eax, eax 


0000 : 1000FD3A 

iz 

loc 1000FDC3 


0000 : 1000FD40 

push 

1 

; char 

0000 : 1000FD42 

push 

0 

; lpString2 

0000 : 1000FD44 

push 

0 

; int 

0000 : 1000FD46 

push 

9D4D0561h 

; int 

0000 : 1000FD4B 

push 

0BB07043h 

; int 

0000 : 1000FD50 

push 

347DB92Ch 

; int 

0000 : 1000FD55 

mov 

ebx, eax 


0000 : 1000FD57 

0000 : 1000FD5C 

call 

classl7_ctor_f rom_st ring_and_date 


0000 : 1000FD5D 
0000 : 1000FD5E 
0000 : 1000FD60 
0000 : 1000FD67 
0000 : 1000FD6A 
0000 : 1000FD6D 
0000 : 1000FD70 
0000 : 1000FD71 
0000 : 1000FD77 
0000 : 1000FD7B 
0000 : 1000FD82 
0000 : 1000FD85 
0000 : 1000FD86 
0000 : 1000FD87 
0000 : 1000FD8C 
0000 : 1000FD8D 
0000 : 1000FD90 
0000 : 1000FD93 
0000 : 1000FD96 
0000 : 1000FD98 
0000 : 1000FD9A 


lea 

push 

call 


lea 

push 

push 

push 

push 


ebx 

dvord ptr ds : (_class_ll .logger_log - _class_ll.logger_log) [et 
[ esi+cl ass_18. socket ] , OFFFFFFFFh 
esp, 20h 

[ ebp+arg_listen_address] ; lpString2 
eax , [ esi+cl ass_18 . 1 ist en_add ress ] 
eax ; IpStringl 

dsilstrcpyW 

ax, [ebp+arg_accept_port] 

word ptr [ esi+cl ass_18. 1 ist en_port_number] , ax 
eax, [ebp+var_4_some_obj ?] 


offset classl8_listen_on_addre: 

edi 

[ esi+cl ass_18. p_classl2l , edi 
[ edi+class_12. exec_f unci 
esp, lOh 
eax, eax 

short loc 1000FDC3 


0000 : 1000FD9D 

push 


^^^cna^^^ 

0000 : 1000FD9F 

xor 

ebx, 

, ebx 

0000 : 1000FDA1 

push 

ebx 

; lpString2 

0000 : 1000FDA2 

push 

ebx 

; int 

0000 : 1000FDA3 

push 

569E0BE9h ; int 

0000 : 1000FDA8 

push 

0BB07043h ; int 

0000 : 1000FDAD 

push 

347DB92Ch ; int 

0000 : 1000FDB2 

r»nnn . i nnncno? 

call 

cl a: 

> s 1 7_ct o r_f r o m_st r i n g_a n d_d at e 


0000 : 1000FDB8 
0000 : 1000FDB9 
0000 : 1000FDBB 
0000 : 1000FDBE 
0000 : 1000FDC1 
0000 : 1000FDC3 

0000 : 1000FDC3 loc_1000FDC3 : 

0000 : 1000FDC3 

0000 : 1000FDC3 

0000 : 1000FDC4 

0000 : 1000FDC9 

0000 : 1000FDCA 

0000 : 1000FDCA loc_1000FDCA : 
0000 : 1000FDCA 
0000 : 1000FDCA 
0000 : 1000FDCC 

0000 : 1000FDCE : 

Q000F10S llOOOFDOS: class!8 c! 


[ edi+class_ll .logger_log] 
esp, 20h 

[ ebp+var_4_some_obj ?] , ebx 
short loc_1000FDCE 


; CODE XREF: classl8_ctor+3Sl j 
; class!8_ctor+93tj 


class!8_dtor 


short loc 100 


r (Synchronized with Hex Viev-1 



1001B054 var_C 
1001B054 IpSt ring2 
1001B054 var_2 
1001B054 arg_0 
1001B054 
1001B055 
1001B057 
1001B05A 
1001B05B 
1001B05C 
1001B05D 
1001B061 
1001B064 
1001B069 
1001B06B 
1001B071 
1001B076 
1001B07B 
1001B07D 
1001B07F 
1001B085 
1001B088 
1001B089 
1001B08C 
1001B08F 
1001B092 
1001B093 
1001B095 
1001B09B 
1001B09D 
1001 BO A2 
1001B0A4 
1001 BO A6 
1001 BO A8 
1001 BO AD 
1001B0B2 
1001B0B7 
1001B0B8 
1001B0BB 
1001B0BD 
1001B0C4 
1001B0C7 
1001B0CA 
1001B0CD 
1001B0CE 
1001B0D4 
1001B0D8 
1001B0DB 
1001B0DC 
1001B0E3 
1001B0E6 
1001B0E9 
1001B0EA 
1001B0EF 
1001B0F0 
1001B0F3 
1001B0F6 
1001B0F8 
1001B0FA 
1001 BOFD 
1001B102 
1001B104 
1001B106 
1001B108 
1001B10A 
1001B10F 
1001B114 
1001B119 
1001B11A 
1001B11D 
1001B11F 
1001B122 
1001B126 
1001B128 
1001B12A 
1001B12C 
1001B12C loc_1001B12C: 
1001B12C 
1001B12D 
1001B132 

1001B133 loc_1001B133: 
1001B133 

1001B135 loc 1001B135: 


= dvord ptr 
= dvord ptr 
= word ptr 
= dvord ptr 
push ebp 


sub 

push 

push 

push 


esp, lOh 


[ebp+var_2], dx 
[ebp+lpString2] , 
cWSAStartup 


test 

eax, eax 

jz 

loc 1001B133 


ecx, OAOh 

call 

Alloc 

mov 

edi, eax 

test 

edi, edi 

jz 

loc_1001Bl 33 

mov 

ebx, [ebp+arg_0] 

push 

ebx 

mov 

ecx, [ebx+4] 

call 

dvord ptr [ecx+5Ch] 

mov 

[edi+OCh], eax 

pop 

ecx 

test 

eax, eax 

jz 

loc_1001B12C 



mov 

edx, oBB8/S33f^^™ 

push 

1 

push 

0 

push 

0 

push 

9D4D0561h 

mov 

ecx, 347DB92Ch 

call 

Log 



push 

dvord ptr [edi+OCh] 

call 

dvord ptr [esi] 

or 

dvo rd ptr [edi+94h], OFFFFFFFf 

lea 

eax, [edi+lOh] 


push 

push 

call 


push 

push 

push 

call 


esp, 18h 

[ebp+lpString2] ; 

eax ; 

clstrcpyW 

ax, [ebp+var_2] 

ecx, [ebp+var_C] 

ecx 

[edi+90h], ax 
[edi+8], ebx 
eax, [ebx+4] 


offset sub_1001B13C 
ebx 

dvord ptr [eax+8] 
esp, lOh 
eax, eax 


lpString2 

IpStringl 



[ebp+var_C], 0 
short loc_1001B12C 
eax, edi 

short loc 1001B135 


Duqu 2015 

; CODE: icr£:l-: sub 1001B0S4+Dbn 


Implementation of the same networking function in Duqu and Duqu 2.0. Note the same unique numbers 
(in red rectangles) PUSHed as parameters to the logging function. 


For any inquiries, please contact intelreportsfakasperskv.com 


40 


THE DUQU 2.0 

Technical Details 


l<A$PER$KYJ 


10010733 

10010734 

10010735 

10010737 

10010738 

1001073E 

1001073F 

10010742 

10010748 

1001074A 

1001074C 

1001074E 

10010751 

10010753 

10010754 

10010755 

1001075A 

1001075A 1 

1001075A 

1001075F 

10010764 

10010769 

1001076A 

1001076B 

1001076D 

10010770 

10010772 ; 

10010772 

10010772 l 

10010772 

10010775 

10010776 

10010779 

1001 077A 

1001077C 

1001077E 

1001077F 

10010780 

10010781 ; 

10010781 


10010784 

10010786 

1001078C 

1001078E 

10010793 

10010795 

10010797 

1001079C 

1001079E 

100107 A1 

100107 A3 

100107A5 

100107A7 

100107 A8 

100107 AD 

1 00107 AF ; 

100107 AF 

100107 AF 1 

100107 AF 

100107B2 

100107B4 

100107B6 

100107B7 

100107BC 

100107C1 

100107C6 

100107CB 

1Q0107CC 

100107CD 

100107CF 

100107D2 

100107D3 

100107D9 

100107DA 

100107DB 

100107DE 

100107E1 

100107E3 

100107E5 

1001 07E5 1 



; CODE XREF: classl9_recv+9A,i;j 
; int 

r_f rom_st ring_and_dat e 
5_11 . 1 ogge r_l og ] 


short toc_100107E5 


[eax+class_8. get_available_ 


short loc_l 0010733 


call 


; CODE XREF: classl9_recv+39tj 

ebx, -1 

short loc_l 00107 AF 

ebx, ds:WSAGetLastError 

ebx ; WSAGet Last Error 

eax, 2733h 

short loc_100107EE 

ebx : WSAGet Last Error 

eax, 2749h 

short loc_100107EE 

edi, [esi+class_19.p_classll] 

lOh 

0 

ebx : WSAGet Last Error 


mil*?™?' Mff&ji. 



call 


[eax+class_8.write_no_class7] 


short loc_100107EE 


: CODE XREF: classlS_ 


Duqu 2011 



Another networking routine: after calling recv() to receive data from network, Duqu logs the results and 
possible network errors (obtained via WSACetLastErrorO). Unique numbers in red rectangles are used to 

identify the current state of the networking routine. 


The code of the orchestrator evolved in many aspects since 2011. One of the notable 
differences is a huge list of HTTP User-Agent strings that are now used instead of a single 
hard-coded one: 



100L7 '14 
1003773D 
10037740 
1003774A 
1003774C 
10037754 
10037754 
10037759 
1003775C 
1003775C 
1003775F 
10037760 
10037760 
10037763 
10037764 
10037764 
1003776E 
>037770 
1003777D 
10037780 
10037794 
10037798 
10037793 
10037798 
1003785C 
10037860 
10037860 
10037860 
10037912 
10037918 
10037918 
.0037918 
100379G 
100379DI 
100379D0 
100379D0 
10037AB6 
10037AB8 
10037AB8 
10037AB8 
10037AB8 
10037 AB? 
10037C32 
10037C38 
10037C38 
10037C38 
10037CDA 
10037CE0 
10037CE0 
10037CE0 
1OO37CE0 
10037E1E 
10037E20 
10037E20 
10037E20 
10037EA0 
10037EA0 
10037EA0 
10037EAO 
10037FD0 
' .0037FDG 


ApplicationOctetStream db 'app 
align lOh 

ImageGif^^^__db^iijag i ^^^e 


Chunked db ' chunked ',0 

; char X[ 1 

X db 1 %X ‘ , ODh , OAh , 0 

align 4 

; CHAR asc_1003775C[ ] 
asc_10Q3775C db ODh, OAh, 0 

; char U[] 

U db ‘%u‘,0 

align 4 

; CHAR St ring [) 

String db ' boundary*' , 0 

ContentType_0 db ' content -type ' , 0 

MultipartFormData db ’multipart /form -data' 


sub_10025fc8B+5/To ' 


: DATA XREF: sub_10025E8B+9Dio sub_1002993B+E8io . 


o_l 0025F8B+ 22lo 


: sub_l 00261 FE+Dto 


A XREF: sub_100262F5+3BTo 


DATA XREF: sub_10026CFA+2Fto 
MSIE 9.0; Windows NT 6.0; Triden> 
596.57)>, 0 


Mozill a5_0WindowsNt 5_1 Appl ewebkit 535_6Kht ml LikeGeck : DATA XREF sub_1002b 

Unicode 0, <Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.6 (KHTML, li: 
Unicode 0, <ke Gecko) Chrome/16.0.897.0 Safari/535. 6>, 0 

Mozill a5_0CompatibleMsie9_0WindowsNt6_lTrident5_0: ; DATA XREF: sub_10026CFA+25io 

Unicode 0, <Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Triden: 
Unicode 0, <t/5.0; chromef rame/11. 0.696. 57)>,0 
align 8 

Mozill aS_0CompatibleMsie9_0WindowsNt6_0Trident5_O: 

Unicode 0, <Mozilla/5.0 (compatible; 

Unicode 0, <t/5.0; chromef rame/11. 0. 
align lOh 

Mozill a5_0CompatibleMsie8_0WindowsNt6_OTrident4_0: 

Unicode 0, <Mozilla/5.0 (compatible; 

Unicode 0, <t/4.0; InfoPath.l; SV1; .NET CLR 3.8.36217; W0W64; en-US)> 
align 4 

Mozill a5_0CompatibleMsie8_0WindowsNt6_0Trident4_O_0: : DATA XREF: sub_10026CFA+43io 

Unicode 0, <Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Triden> 
Unicode 0, <t/4.0; W0W64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; . NE> 
Unicode 0, <T CLR 3. 5. 30729; . NET CLR 3. 0. 30729; . NET CLR 1 . 0. 3705; .> 
Unicode 0, <NET CLR 1.1. 4322) >,0 
align 8 

Mozilla5_OWindowsNt6_2Wow64Rvl5_OGecko2012091014432: L ATA XREF: sub_10026CFA+4Dlo 

Unicode 0, <Mozilla/5.0 (Windows NT 6.2; W0W64; rv:15.0) Gecko/201209> 
Unicode 0, <10144328 Firefox/15. 0. 2>, 0 
align lOh 

Mozill a4_0CompatibleMsie7_0WindowsNt6_lSlcc2_netC: : DATA XREF: sub_10026CFA+57To 

Unicode 0, <Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2;> 
Unicode 0, < .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.307> 
Unicode 0, <29; Media Center PC 6.0; . NET4. OC; .NET4.0E)>,0 
align lOh 

Mozill a5_0WindowsNt6_lRv6_0Gecko20110814Firefox6_0: : DATA XREF: sub_10026CFA+61To 

Unicode 0, <Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20110814 Firef> 
Unicode 0, <ox/6.0>,0 
Mozill a5_0CompatibleMsie9_0WindowsNt6_lWow64Triden : DATA XREF: sub_10026CFA+6Bio 

Unicode 0, <Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; W0W64;> 
Unicode 0, < Trident/5.0; . NET CLR 3. 5. 30729; . NET CLR 3. 0. 30729; . NE> 
Unicode 0, <T CLR 2.0.50727; Media Center PC 6.0)>,0 
Mozill a5_0CompatibleMsie8_0WindowsNt5_2Trident4_O: : DATA XREF: sub_10026CFA+75lo 

fl n HC.TF R r !■ Wi ndnw< NT R 7 ■ TrH>n» 
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The authors also modified the "magic" two-byte value that identifies encrypted network 
traffic: "SH" was replaced with a more neutral and harder to trace "WW": 


0000 : 10019F66 

0000 : 10019F68 

0000 : 10019F6B 

0000:1 001 9F6C 

0000 : 10019F6D 

push 

lea 

push 

push 

call 

OCh 

ecx, [ebp+cmd_header] 
ecx 

eax 

0000:1 001 9F70 

mov 

eax, 'HS' 

0000 : 10019F75 

add 

esp, lOh 

0000 : 10019F78 

cmp 

word ptr [ ebp+cmd_header] , ax 

0000 : 10019F7C 

0000: 1001 9F7E 

mov 

ecx, dword ptr [ ebp+cmd_header+2] 

0000:1 001 9F81 

lea 

eax, [ esi+class_43. cmd] 

0000 : 10019F84 

mov 

[eax], ecx 

0000 : 10019F86 

xor 

ecx, ecx | 

0000:1 001 9F88 

cmp 

[ebp+cmd_header+6] , cl I 

0000: 1001 9F8B 

push 

eax | 

0000:1 001 9F8C 

push 

[esi+class 43,class6 input] 

nnnn ■ ^ nm qfrf 

«P+7 

rl 



Code that verifie 



J-WU^B/LO 

1002B7D7 

1002B7D9 

1002B7DA 

1002B7DD 

1002B7DE 

1002B7E0 

1002B7E5 

1002B7E8 

1002B7EC 

1002B7EE 

1002B7F1 

1002B7F4 

1002B7F5 

1002B7F8 

1002B7FA 

1002B7FC 


pusn 

push 

push 

mov 

push 


OCh 

edx 

ecx, [eax+20h] 
eax 


mov 

eax, 'WW' 

add 

esp, lOh 


[ebp+var C] , ax 


eax, [ebp+var_A] 



The chars are swapped due to little-endianness of data in x86/64 architectures. 

Both Duqu and Duqu 2.0 use special structures to identify the interfaces of their plugins. 
The orchestrator also has one for the "core" plugin that is compiled in its code. The 
newer version has a slightly bigger table, hence more functions, and a different notation 
for describing the plugin features. Special strings (i.e. "A888A8>(a") describe each 
function's signature. The older Duqu had contained similar strings in binary (unreadable) 
form. 


1003A77C 
1003A780 
1003A784 
1003A788 
1003A78C 
10G3A790 
1003A79> 
: . . 

1003A7A( 

1003A7Ay 

1003A7AC 

1003A7BC 

1003A7B^ 

1003A7BJ 

1003A7BC 

1003A7CC 

1003A70 

1003A7DC 

1003A7D^ 

1003A7D? 

1003A7DC 

1003A7EC 

1003A7E^ 

1003A7E? 

1003A7EC 

1003A7FC 

1003A7F^ 

1003A7F8 

1003A80C 

1003A80^ 



1003A80C 

- 

1003A81' 


1003-31:. a!d_(jy 
1003A81D 

1003A820 a2_03_0 
1003A825 

a Ap r 302 


aBadAU oca- 
offset aBad All oca- 
offset a Bad All oca- 




dd offset aBadAlloc 

H c^se| 8 J^ljo034620 


d offset b y t e_l 0034624 
d offset sub_100237DE 


t byte_l 0034629 


d offset byt e_l 0034638 
d offset sub_l 0023834 


18 dwo rd_1003A838 dd 1 


; LZO 2.03 Apr 30 2< 




1003A840 

1003A844 

1003A848 


: Duqu 2011 


1004123C 

10041240 

10041244 


ib_10016F89 

ib_10016F9F 

ib_10016E91 

ib_10016FB3 

b~10017017 


10041258 

1004125C 

10041260 

10041264 

10041268 

”o0412> 
.0041274 

.0041288 
.004128< 
.0041290 
.0041294 

!o04129C 
.0041 2 AO 
.0041 2 A4 

100412AC 


.00412< 

.00412C4 

.00412C8 

.00412CC 

lOlwlTO 
1 004 i 2D 4 
100412D8 
100412DC 

100412F4 

100412F8 

100412FC 

10041300 


oTrjflMiaf 4 dd o++se+ m 7? 4ga ? a 5S5BgU4 




*A8>83>B0B" 

T7t A88b a 88b 3a 88b 77 a 88b a 883B ? 40+ 1 4h : 


— 




t T7t A88b a88b 3a 88b 77a 88b a 8: 


t T7t A88b a 88b 3a 88b 77a 81 


t T7tA88ba88b3a88b77a88ba883B?40+OCh ; 


t T7t A88b a 88b 3a 88b 77a 88b a 8: 
t sub_100176CB 

Jb7?40a?a883B0b : "A88I 
)_100176E3 


r: 


: . ; 
i : : 

-o 

100422F4 
' O' 

10042300 
Q>1 10042308 


i'. 

!•: 

iojaozd; 

: : 


: 

: ' - 

: - . - 
- . 

lc 042 E 48 
" A.38B3A38B7< 7 i 1 : D42E40 
i o :>42E.E.: 

!■! A.;'. . 

" A8>83>B 7 4(3' 10042358 
: - - -o f: 


"oTTseT 

offset 

offset 


Duqu 2015 




10042370 

10042378 
1004237C 
10042380 
i : -0 . 
3042388 


dd offset DoFindModul eUn( 
dd offset sub_10010929 
dd offset sub_10010951 
dd offset sub_10010979 
dd offset unk_10033E8C 
dd offset unk_10035C9C 

dd offset unk 

dd offset A88b 7 ? 4@a ? a 883E 


; " 7 ? 4£A ? A8>83>B£B" 

dd offset A88b a 88b 3a 88b 77a 88b a 883B ? 4@+ 1 Oh : 


lb a 88b 3a 88b 77a 88b a 883B? 4@+ 8 : " 3A88B7<7A88BA8>83>B?4( 


dd offset A88b a 88b 3a 88b 77a 88b a 883B ? 40+ ODh 
dd 1 

dd offset A88b a 88b 3a 88b 77a 88b a 883B ? 4| 
dd 4 

dd offset subJLOOlOFEO 
dd 0 

dd offset A88b 7 ? 40a ? a 883B0b . "A88B7 
dd offset sub_10010FF8 


8b a 88b 3a 88b 77a 88b a 883B « 
b_10011019 


*40+4 : " A88B3A88B7<7A88BA8>8; 
»40+14h ; " A8>83>B?40" 


" ^ g" o T Ts e r s ub_15flll5W 

dd offset unk_10034B14 
dd offset unk_10035E24 
dd offset dwo r d_l 00334F8 


Duqu 2015 


Data structure that describes the "core" plugin of Duqu and two different version of Duqu 2.0. 
Note the same constants and similar functions. 
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The Duqu C&C code makes use of small image files to hide its communications over 
unencrypted channels, i.e. HTTP. The original Duqu used a JPEG file, and known versions 
of Duqu 2.0 use a similar JPEG file as well as a new, larger GIF file. Also, the layout of the 
data section did not change much: the image data is preceded by short AES encryption 
keys (string "shl23456" in Duqu, two binary DWORDs in Duqu 2.0) followed by the LZO 
version string "2.03". 


10034634 d vo r d_l 0034634 dd 1006060Fh 
' ■ 10034638 dd 1006060Fh 

10G3463C dd 100606QFh 


10034638 dvord 
1003463C & 
10034640 a: 
10034645 " 
10034648 s- 
10034648 

10034648 


d_l 0034650 < 
d_l 0034654 i 


class60_pfl0i r 


10038444 of f_l 0038444 dd offset sub_: 

10038448 dd offset sub_! 

1003844C dd offset sub_: 

10038450 dd offset sub_: 

10038454 dd offset sub_! 

10038458 dd offset sub_! 

1003845C dvo rd_1003845C dd 46F21B8Ch 
460 dvo rd_l 0038460 
10038464 2 03 ; 


sub_l 0026481 :loc_H 


.0036 ACC 

: : 

: . 

10036ADC 
10036 A. EO a< 
10036AE4 a< 
10036AE8 d\ 


dd 0CB8741BDh 
dd 2ED2B6A6h 
I dd 1 9909981 h 
db *2.03' , 0 

dd .1 - 

dd OAOOOOOOh 
dd 7000000h 


ib_100224F6 
i b_l 0022505 
i b_l 0022520 


sub_l 0021 ADI : 1 oc_10021B2Bl r 


sub_l 0025014+11 lo 


— 


10034658 | 

10034658 

10034658 

10034658 

10034658 

10034658 

10034658 

10034658 


10034658 

10034658 

10034658 

10034658 

10034658 

10034658 

10034658 

10034658 

10034658 

10034658 

10034658 

10034658 

10034658 

10034658 

10034658 

10034658 

10034658 

10034658 


10034658 

10034658 

10034658 

10034658 

10034658 

10034658 

10034658 

10034658 

10034658 

10034658 

10034658 

— 


, OEOh, i 


cl ass38_vrit e_JPEG_and_ 

b 0, 3 dup(l), 0, 60h, 0, 60h, 2 dup(O), OFFh, ODBh, 0 
b 43h, 0, 2, 2 dup(l), 2, 2 dup(l), 8 dup(2), 3, 5, 5 dup(3 
b 6, 2 dup( 4) , 3, 5, 7, 6, 3 dup(7), 6, 2 dup(7), 8, 9 
b OBh, 9, 2 dup( 8) , OAh, 8, 2 dup(7), OAh, ODh, 2 dup(OAh) 
b OBh, 4 dup(OCh), 7, 9, OEh, OFh, ODh, OCh, OEh, OBh 

b 6, 2 dup( 3) , 6, OCh, 8^ 1, 8, 32h ' dup ( OCh ) , * OFFh , OCOh 
b 3 \ llh! l! OFFh, 0C4h, 0,'lFh, 2 dup(O)! l! 5, 6 dup(l) 


: dup( 4 


dup( 3) , 


dup( 5) 


, 23h, 42h, OBlh, OClh, 15h, ! 


i , 62h , 72h , 82h , 


0A6h, 0A7h, 0A8h 


0C6h, 0C7h, 0C8h 


, OBlh, OClh, 9, 23h, 3 


M 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

. 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 

10038478 


3Ah, 45h, 78h, 69h, 661 
3 dup(O) , 8, 0, 3, 51h 
51h, 1, 0, 3, 3 dup(O) 


lb OBh, 9, 2 dup( 8) , OAh, 8, 
lb OBh, 4 dup(OCh), 7, 9, OE 
lb 3 dup ( OCh) , OFFh, GDBh, C 


2 dup(O), 2 dup( 4Dh) , 0, 2Ah 
2 dup(O), 4, 3 dup(O), 1, 4 di 
L, 0, 1, 2 dup(O), 51h, 4, 0 

lb 2, 2 dup( 1) , 8dup( 2) , 3, 5, 5dup(3) 

OAh, ODh, 2 dup ( OAh] 


10036B08 

10036B08 

10036B08 


db OBh, 0, 70h, 2 dup(O), 21h, 0F9h, 4, 1, 2 dup(O), OFCh 
db 0, 2Ch, 4 dup(O), OBh, 0, OBh, 0, 87h, 5 dup(O), 33h 

db OFFh, 0, ‘ 2Bh, * 2 dup( 0) , ' 2Bh, ' 33h, 0, 2Bh, 66h, 0, 2Bh 
db 99h, 0, 2Bh, OCCh, 0, 2Bh, OFFh, 0. 55h, 2 dup(O), 55h 
db 33h, 0, 55h, 66h, 0, 55h, 99h, 0, 55h, OCCh, 0. 55h 


8 dup(O) 
0C4h, 0, 
2 dup( 4) 


)B5h, lOh, 0, 2, 1, 2 dup( 3) , 2, 4, 3, 2 dup(E 
2 dup(O), 1, 7Dh, 1, 2, 3, 0, 4, llh, 5, 12h 
41h, 6, 13h, 51h, 61h, 7, 22h, 71h, 14h, 32h 


33h, 62h, 72h, 82h, 9, 
25h, 26h, — — 1 — 
39h , 3 Ah 


94h, 95h 

< 

i, 0B7h 


0A2h, OA- 
2h, 0B3h 
0B9h, OBAh, 0C2h, 0C3h 
0C9h, OCAh, 0D2h, 0D3h 
0D9h, ODAh, OElh, 0E2h 


10036B08 

10036B08 

10036B08 

: ' : : ;e 

.E ee 

10036B08 


lb 99h, 0, 80h, OCCh, 0, 80h, OFFh, 0, OAAh, 2 dup(O) 
lb OAAh, 33h, 0, OAAh, 66h, 0, OAAh, 99h, 0, OAAh, OCCh 
b 0, OAAh, OFFh, 0, 0D5h, 2 dup(O), 0D5h, 33h, 0, 0D5h 

lb OFFh, 2 dup(O), OFFh! 33h/o, OFFh,' 66h, 0, OFFh, 99h 
lb 0, OFFh, OCCh, 0, 2 dup(OFFh), 33h, 2 dup(O), 33h, 0 
lb 2 dup( 33h) , 0, 66h, 33h, 0, 99h, 33h, 0, OCCh, 33h 
lb 0, OFFh, 33h, 2Bh, 0, 33h, 2Bh, 2 dup(33h), 2Bh, 66h 
lb 33h, 2Bh, 99h, 33h, 2Bh, OCCh, 33h, 2Bh, OFFh, 33h 
lb 55h, 0, 33h, 55h, 2 dup(33h), 55h, 66h, 33h, 55h, 99h 
lb 33h, 55h, OCCh, 33h, 55h, OFFh, 33h, 80h, 0, 33h, 80h 
b 2 dup( 33h) , 80h, 66h, 33h, 80h, 99h, 33h, 80h, OCCh 


, OAAh, OCCh, 33h, OAAh 


b 33h, 0D5h, 99h, 33h, 0D5h, OCCh, 33h, 0D5h, OFFh, 33h 
b 99h , ' 33h , OFFh, OCCh, 33h, 2 dup(OFFh), 66h, 2'dup(0) 


6h, 0, OFFh, 66h, 2Bh, 0, 66h, 2Bh, 33h, 66h, 2Bh 
: dup( 66h) , 2Bh, 99h, 66h, 2Bh, OCCh, 66h, 2Bh, OFFh 
- — - — — — — 55h, 2 dup( 66h) , 55h 


lb 66h, 55h, 0, 66h, 55h, 


Ah, OBh, 


dup(O), 1 

5, ' 2 dup(4b 0 
0, 1, 2, 3, llh, 4, 5, 2lh, 31h, 6, 12h 
7, 61h, 71h, 13h, 22h, 32h, 81h, 8, 14h, 42h 

ODlh, ' OAh, 16h! 24h! 34h! OElh, 25h! OFlh 


lb 8Gh, 33h, 66h, 80h, 2 dup(66h), 80h, 99h, 66h, 80h 
lb OCCh, 66h, 80h, OFFh, 66h, OAAh, 0, 66h, OAAh, 33h 
lb 66h, OAAh, 2 dup(66h), OAAh, 99h, 66h, OAAh, OCCh, 66h 
lb OAAh, OFFh, 66h, 0D5h, 0, 66h, 0D5h, 33h, 66h, 0D5h 
b 2 dup( 66h) , 0D5h , 99h, 66h, 0D5h, OCCh, 66h, 0D5h, OFFh 
lb 66h, OFFh, 0, 66h, OFFh, 33h, 66h, OFFh, 2 dup(66h) 
lb OFFh, 99h, 66h, OFFh, OCCh, 66h, 2 dup(OFFh), 99h, 2 du| 
lb 99h, 0. 33h, 99h, 0, 66h, 99h, 0, 2 dup(99h), 0, OCCh 


, 0A2h, 8Ah, 28h, 0, 0A2h, 8Ah, 28h, 0, 0A2h 
, 0A2h, 8Ah, 28h, 3, OFFh, 0D9h, 0 




10034914 
10034918 
1 003491 C 


10034934 


10038478 

10038478 

10038478 

— 


db 0A2h, 8Ah, 


6h, 0B7h 
6h, 0C7h 


49h 


: ’ t ■ - 

10036B08 

IrE- 
10. WE.: 
: - - : EE :-E 
: . . EE 
1 - - E £ E : 


I6h, 99h, 2Bh, 2 dup(99h), 2Bh, OCCh, 99h, 2Bh, OFFh 
i9h, 55h, 0, 99h, 55h, 33h, 99h, 55h, 66h, 99h, 55h 
! dup( 99h) , 55h, OCCh, 99h, 55h, OFFh, 99h, 80h, 0 


, 99h, 80h, OFFh, ! 


dup(99h), OAAh, OCCh 
lb 99h, OAAh, OFFh, 99h, 0D5h, 0, 99h, 0D5h, 33h, 99h 
lb 0D5h, 66h , 99h, 0D5h, 2 dup(99h), 0D5h, OCCh, : 


, 0, 2, llh, 3, 1] 

Bh, OEOh, OFFh, 0, 

i. 2, 8Ah, 28h, OAOh, 2, 8Ah, 28h, OAOh, 2 
b 8Ah, 28h, OAOh, 2, 8Ah, 28h, OAOh, 2, 8Ah, 28h, OAOh 
b 2, 8Ah, 28h, OAOh, 2, 8 Ah, 28h, OAOh, OFh, OFFh, 0D9h 




Duqu 2011 


10038750 
10038784 ol 
10038788 
1003878C 
10038790 off_10038790 
10038794 
1 ■: 0 : : W :■ 

1003879C 


b_1002FCD3+15io 


Duqu 2015 


10036B08 

10036B08 

: : i: :e. : 

’.0036B08 

.0036B08 


__.j, OFFh, 33h, 99h, OFFh, 66h 

I dup( 99h) , OFFh, OCCh, 99h, 2 dup(OFFh) 
0), OCCh, 0, 33h, OCCh, 0, 66h, OCCh, 0 
I, 2 dup( OCCh) , — ’ — “ — 


lb OCCh, OAAh, 0, OCCh, OAAh, 33h, OCCh, OAAh, 66h, OCCh 
lb OAAh, 99h, OCCh, OAAh, 2 dup (OCCh), OAAh, OFFh, OCCh 
lb 0D5h, 0, OCCh, 0D5h, 33h, OCCh, 0D5h, 66h, OCCh, 0D5h 

lb 0, OCCh, OFFh, 33h, OCCh, OFFh , . ^h^CCh^FFh^99h 
lb 0, 33h, OFFh, 0, 66h, [' 


, 2Bh, 99h , OFFh, 


Duqu 2015 


00037078 |l0038478: . rdaCi:byc._lOO38470 | (Synchronize. 


Image data used for hiding CbC communication in them: JPEG in Duqu, similar JPEG in Duqu Bet and 
GIF in a different version of Duqu Bet. Note the preceding LZO version string "2.03" and encryption keys. 


The large number of similarities between the Duqu 2011 code and the new Duqu 2.0 
samples indicates that the new code represents a new iteration of the malware platform. 
The new version could not have been built without access to the 2011 Duqu source 
code. Hence, we conclude that the authors are the same or working together. 


VICTIMS OF DUQU 2.0 


Victims of Duqu 2.0 were found in several places, including western countries, the 
Middle East and Asia. The actor appears to compromise both final and utilitarian targets, 
which allow them to improve their cyber capabilities. 


Most of the final targets appear to be similar to their 2011 goals - which is to spy on 
Iran's nuclear program. Some of the new 2014-2015 infections are linked to the P5+1 
events and venues related to the negotiations with Iran about a nuclear deal. The threat 
actor behind Duqu appears to have launched attacks at the venues for some of these 
high level talks. In addition to the P5+1 events, the Duqu 2.0 group has launched a similar 
attack in relation to the 8 70th anniversary event of the liberation of Auschwitz-Birkenau. 


8 http://70.auschwitz.Org/i ndex.php?iana=en 
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The other type of targets for the new attacks are what we call "utilitarian" targets. These 
are companies that the attackers compromise to improve their cyber capabilities. 

For instance, in 2011, the attackers compromised a certificate authority in Hungary; 
obviously, this would allow them to generate digital certificates, which can be further 
used to sign malware samples. The same pattern can be seen with the Duqu 2.0 
infections. Some of the companies infected with Duqu 2.0 operate in the sector of 
Industrial Control Systems as well as industrial computers. 

ATTRIBUTION 


As usual, attribution of cyberattacks over the Internet is a difficult task. In the case of 
Duqu, the attackers use multiple proxies and jumping points to mask their connections. 
This makes tracking an extremely complex problem. 

Additionally, the attackers have tried to include several false flags throughout the code, 
designed to send researchers in the wrong direction. For instance, one of the drivers 
contains the string "ugly.gorilla", which obviously refers to 9 Wang Dong, a Chinese 
hacker believed to be associated with the APTl/Comment Crew. The usage of the 
Camellia cypher in the MSI VFSes, previously seen in APTl-associated Poison Ivy samples 
is another false flag planted by the attackers to make researchers believe they are dealing 
with APT1 related malware. The "romanian. antihacker" string used in the "portserv.sys" 
driver is probably designed to mimic "wOOtwOOt. at. blackhats. romanian. anti-sec" requests 
that are often seen in server logs or simply point to an alleged Romanian origin of the 
attack. The usage of rare compression algorithms can also deceptive. For instance, the 
LZJB algorithm used in some of the samples is rarely seen in malware samples; it has 
been used by MiniDuke which we reported in early 2013. 

Nevertheless, such false flags are relatively easy to spot, especially when the attacker is 
extremely careful not to make any other mistakes. 

During our 2011 analysis, we noticed that the logs collected from some of the proxies 
indicated the attackers appear to work less on Fridays and didn't appear to work at all on 
Saturdays, with their regular work week starting on Sunday. They also compiled binaries 
on January 1st, indicating it was probably a normal work day for them. The compilation 
timestamps in the binaries seemed to suggest a time zone of GMT+2 or GMT+3. Finally, 
their attacks would normally occur on Wednesdays, which is why we originally called 
them the "Wednesday Gang". While the 2014 attack against Kaspersky Lab also took 
place on a Wednesday, the gang made huge OPSEC improvements compared to their 
older 2011 operations, including faking all the timestamps in PE files, removing the debug 
paths and internal module names for all plugins. 

The 2014 Duqu 2.0 binaries contain several strings in almost perfect English but one of 
them has a minor mistake indicating the involvement of non-native speakers. The usage 
of "Excceeded" instead of "Exceeded" in the file-harvesting module of Duqu 2.0 is the 
only language mistake we observed. 


9 http://www.fbi.aov/wanted/cvber/wana-donQ/view 
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Misspelling of the word "Exceeded" in Duqu 2.0. 


Most interesting, one of the victims appear to have been infected both by the Equation 
Group and by the Duqu group at the same time; this suggests the two entities are 
different and competing with each other to obtain information from this victim. 


CONCLUSIONS 


During the 2011 Duqu attacks, we concluded that its main purpose could have been to 
spy on Iran's nuclear program. Some of the victims appear to have been "utilitary", such 
as one certificate authority in Hungary, which was compromised by Duqu and ultimately 
that led to its discovery. The group behind Duqu hacks these "utilitary" victims in order to 
gain certain technical abilities such as signing their malware with trusted certificates or to 
serve as platforms for further attacks. 

The 2014/2015 Duqu 2.0 appears to be a massive improvement over the older "Tilded" 
platform, although the main orchestrator and C&C core remains largely unchanged. Back 
in 2011 we pointed out to the usage of 10 Object Oriented C as an unusual programming 
technique. The 2014 version maintains the same core, although some new objects in 
C++ have been added. The compiler used in the 2014 is newer and it results in different 
code optimizations. Nevertheless, the core remains the same in functionality and it is 
our belief it could not have been created by anyone without access to the original Duqu 
source code. Since these have never been made public and considering the main interest 
appears to have remained the same, we conclude the attackers behind Duqu and Duqu 
2.0 are the same. 

The targeting of Kaspersky Lab represents a huge step for the attackers and an indicator 
of how quick the cyber-arms race is escalating. Back in 2011 and 2013 respectively, U RSA 
and 12 Bit9, were hacked by Chinese-language APT groups, however, such incidents 
were considered rare. In general, an attacker risks a lot targeting a security company 
- because they can get caught and exposed. The exact reason why Kaspersky Lab 
was targeted is still not clear - although the attackers did seem to focus on obtaining 
information about Kaspersky's future technologies. Secure OS, anti-APT solutions, KSN 
and APT research. 


10 https://securelist.com/bioq/research/52554/the-mvsterv-of-duqu-framework-solved-7/ 

11 https://bioqs.rsa.com/anatomv-of-an-attack/ 

12 https://bioq.bit9.com/2015/02/08/bit9-and-our-customers-securitv/ 
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From a threat actor point of view, the decision to target a world-class security company 
must be quite difficult. On one hand, it almost surely means the attack will be exposed - 
it's very unlikely that the attack will go unnoticed. So the targeting of security companies 
indicates that either they are very confident they won't get caught, or perhaps they don't 
care much if they are discovered and exposed. By targeting Kaspersky Lab, the Duqu 
attackers have probably taken a huge bet hoping they'd remain undiscovered; and lost. 

For a security company, one of the most difficult things is to admit falling victim to a 
malware attack. At Kaspersky Lab, we strongly believe in transparency, which is why 
we are publishing the information herein. For us, the security of our users remains the 
most important thing - and we will continue to work hard to maintain your trust and 
confidence. 
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